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Preface 



Software design and program development is widely recognised as a highly 
creative task. The reason for this understanding is that industrial-strength 
software has some inherent conceptual complexity which can, as in the case 
of concurrent, reactive systems, easily exceed the human intellectual capac- 
ity. Finding ways to master this complexity is therefore one of the major 
challenges in computer science today. 

So far, a common approach in software engineering has been to apply 
during the design phase a variety of structured techniques like top-down 
design, decomposition, and abstraction in order to cope with the complexity 
of large software systems. Only after the design is completed does intensive 
testing in the implementation phase ensure reliability, usually understood 
as absence of program errors. However, this approach neglects the fact that 
central aspects of software design and program development have a strong 
formal character that in principle admits tool support for the construction of 
reliable and correct computer systems. A crucial precondition for the success 
of such a computer-aided effort is, in fact, the availability of methods and 
techniques which perform the required formal reasoning. 

This monograph aims to provide the theoretical foundations needed for 
the verification of reactive, sequential infinite-state systems. In particular, 
we will develop two new algorithms that allow us to automatically verify 
important aspects, like safety or liveness properties, of the given infinite- 
state system. As we deal with infinite-state spaces, many theoretical topics are 
involved, including process algebras, fixpoint theory, modal logics, and model 
checking. To stress the importance of a sound foundation for the developed 
verification methods, we put particular emphasis on the presentation of the 
formal framework which we hope will be of use also for future extensions. 

This monograph is a revised version of my doctoral dissertation which 
was submitted to the Faculty of Mathematics and Natural Sciences of the 
Rheinisch-Westfalische Technische Hochschule Aachen and accepted in July 
1995 . 

I would like to thank my supervisor Bernhard Steffen who introduced me 
to the subject and provided many inspiring discussions that greatly influenced 
the contents of my thesis. I also want to thank him and his wife Tiziana for 
their kind hospitality during my several visits to Passau. 
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I also thank Klaus Indermark for his constant support as well as his 
enthusiasm during my employment at the Department of Computer Science 
at Aachen. 

Thanks are also due to Didier Caucal, who after a discussion in Passau 
initiated my work on the bisimulation equivalence problem by pointing me to 
some of his previous research. I also want to thank him for his many useful 
comments that influenced much of the topic of Chapter 5, as well as for his 
kind support during my stay at IRISA in Rennes where we continued the 
work on the bisimulation problem for context-free processes. 

I am also indebted to Colin Stirling who influenced implicitly, and after 
we met personally in Edinburgh also explicitly, the presentation of the model 
checking algorithm and its associated theory. 

Finally, I am also grateful both to an anonymous referee and to Markus 
Schweighofer, who gave a number of hints on a draft version that helped to 
improve the final presentation. 

Last but not least, warm thanks to my wife Simone for taking good care 
of me by providing constant emotional and practical support. 

Dortmund, October 1997 Olaf Burkart 




Foreword 



After almost twenty years of concurrency theory, we face a wide spectrum 
of formalisms - process algebras, models for concurrency, and application 
specific languages - which all come with their specific expressive power and 
conceptual complexity. There is currently no sign that this tendency to di- 
versity will end. In response to this state of the art, various tools have been 
developed, each addressing very specific scenarios on the basis of tailored 
methodologies. They provide keys to the practical use of all the described 
theory, as they have the potential to constitute an interface between theory 
and practice on a purely phenomenological level. 

The typical development of such tools, which I am convinced provide a 
new momentum to concurrency theory and even to formal methods in general, 
goes through three sometimes overlapping phases: a conceptual phase, where 
the underlying decidability issues are studied, usually by pure mathematical 
reasoning, a complexity- oriented realization phase, where appropriate data 
structures and algorithms are designed and implemented, and first case stud- 
ies are performed, and a ‘civilisation’ phase, where people look at application 
scenarios and profiles, at appropriate interfacing to industrial environments 
and user communities, and where the investigation of the practical behaviour 
of algorithms on concrete applications gains importance over the usual worst 
case reasoning. 

Currently, although the first ‘civilised’ formal-method based tools have 
become reality, the main effort is still invested in the first two phases, which 
still provide a huge potential for investigation. 

The contributions of this monograph belong to the first and second phase. 
New concepts and algorithms are provided, for both model checking and 
equivalence checking, which drastically extend the scope of automatic ver- 
ification, and which, nevertheless, have the potential to give directions for 
efficient implementation. In fact, the results of the underlying dissertation 
include the first effective model checking algorithm for infinite state systems, 
namely the class of context-free and pushdown processes, which can be re- 
garded as procedural extensions of finite automata. The underlying second- 
order semantics is rather elegant and surprisingly efficient: context-free pro- 
cesses can be model checked essentially in time proportional to the size of 
the argument process. Only the size of the property to be checked is critical. 
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Moreover, as it has turned out in the meantime, second-order semantics allow 
comparatively simple extensions to formulae of higher alternation depth and 
to further generalised process calculi. 

In addition, the first bisimulation checking algorithm of elementary com- 
plexity is presented, which covers all context-free processes. This algorithm, 
although extremely intricate and computationally expensive, paves the way 
towards efficient implementation: for the first time it allows an estimation of 
the worst case complexity of this class of processes. One may well expect that, 
as already experienced in the case of normed context-free processes, which 
over the years have been shown to admit polynomial bisimulation checking, 
the complexity result provided in this thesis will be drastically improved in 
the near future, making context-free bisimulation checking a tool of practical 
relevance. 

All these contributions are based on an impressive collection of new al- 
gebraic theorems, which are interesting already on their own: they provide 
in fact a strong intuition about infinite state systems, properties of paral- 
lel composition, and differences between normed and unnormed processes, as 
well as between context-free and pushdown processes in a branching-sensitive 
scenario. Thus this monograph also provides a comprehensive overview of the 
foundations of infinite state verification for the considered classes of processes, 
and reveals essential differences between the new branching-sensitive theory 
and ‘classical’ automata and formal language theory. 

Summarising, the reader will find elegant and deep theory as well as com- 
prehensible algorithms, which I am convinced will be the key for a better 
understanding of process theory. In fact, I believe that corresponding imple- 
mentations will enhance this understanding, and tuned versions will enter 
modern environments for concurrent system design in the near future in the 
general course of formal methods integration. This general trend has recently 
been observed for finite state model checking, which, like the now omnipresent 
type checking, quickly conquered the industrial hardware design arena. I am 
convinced that this trend will continue for other fully automatic verification 
techniques like the ones presented in this thesis. Thus this monograph pro- 
vides a wealth of valuable information, both for pure theoreticians interested 
in algebraic theories and for tool builders who are open to conquering new 
ground in their desire to construct practically relevant tools. 

Dortmund, November 1997 Bernhard Steffen 
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1. Introduction 



Distributed, concurrent, and reactive systems, are playing an increasingly 
important role in computer science, both in theory and in practice. Software 
systems with these characteristics, among them communication protocols, 
database systems, and operating systems, tend to exhibit a rich set of be- 
haviours, are inherently complex and therefore complicated to build. Conse- 
quently, a great deal of work has been done investigating formal techniques 
supporting the correct construction of concurrent systems, as well as their 
verification. The latter is often of particular interest, since concurrent sys- 
tems are being used in e.g. safety-critical control systems and arise in the 
design of digital circuits. Verification can then be applied to guarantee that 
central aspects of the intended system behaviour, like e.g. safety or liveness 
properties, are correct with respect to their specifications. In contrast to pure 
testing, this methodology has the important benefit that it directly supports 
early error detection by revealing logical errors already in the design phase, 
as well as that it increases considerably the confidence into the correctness 
of the produced software. 

Not surprisingly, the verification of programs has already a long history 
in computer science. Since Floyd [Flo67] it is known that sequential pro- 
grams can be verified by considering their partial correctness, specified in 
terms of pre-/postcondition annotations, together with their termination. In 
this concept the input/output behaviour of sequential programs constitutes a 
predominant factor. Subsequently, Hoare [Hoa69] has recast Floyd’s method 
and introduced a logical framework which admits to prove in a structured 
and compositional way that a sequential program meets its specification. 

Reactive systems, on the other hand, are typically nonterminating, as 
they maintain an ongoing interaction with the environment. Hence, verifi- 
cation methods which rely on the existence of a final state are, usually, not 
applicable and must be replaced by radically different approaches. The funda- 
mental concept of invariance which considers what remains true throughout 
the execution of a program is then the appropriate notion to use for re- 
active system. By investigating formalisms which support the specification 
of invariance properties the automated verification of concurrent, reactive 
systems has made great progress over the last decade (cf. [Lam94]) and a 
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number of tools exploiting the various paradigms for verification exist today 
(cf. [Mad92, CGL94]). 

In this monograph we shall concentrate on two powerful techniques for 
the verification of reactive systems (or processes): model checking and equiv- 
alence checking. Both methods have successfully been applied, in particular, 
to finite-state systems since the finitary nature of these systems guarantees 
immediately the existence of effective verification procedures. Under these 
circumstances analysis and verification tools typically explore completely the 
reachable state space of the system at hand in order to prove it automat- 
ically correct. However, it is a fact of life that realistic systems are often 
infinite-state excluding them, in general, from any automated verification. 
Consequently, a great deal of research effort has been put into identifying 
restricted, but still expressive, classes of infinite-state spaces that possess a 
decidable verification problem. 

This monograph aims to show that large classes of sequential infinite- 
state processes are amenable to automated verification by means of model 
checking, as well as equivalence checking. 



1.1 Sequential Processes 

From its beginning, one of the main objectives of concurrency theory has been 
the study of suitable models for concurrent and distributed systems. Notably 
the algebraic approach has proved valuable, and a number of powerful process 
calculi such as CSP [Hoa85], CCS [Mil89], or AGP [BW90] have emerged. 
All these calculi have in common that they consist of an algebraic syntax 
specifying the operators for constructing larger processes from smaller ones, 
some structural operational semantics defining the behaviour of processes in 
terms of labelled transition graphs, and one or more behavioural equivalences, 
like e.g. bisimulation or the coarser language equivalence, which reflect some 
notion of observation. 

The purpose behind the various process calculi that have been proposed 
has been to capture, and thus to support the understanding, of such central 
aspects of concurrency, as e.g. parallelism, nondeterminism, or communica- 
tion. However, the computational power of these calculi immediately delivers 
undecidability results for a broad range of properties. Therefore much atten- 
tion has been devoted to the study of less powerful process models and their 
related verification problems. 

In this monograph we shall particularly be interested in several classes 
of processes where sequential composition plays a major role. The least ex- 
pressive class we would like to mention is the class of regular processes as 
introduced by Milner [Mil84] which contains all processes recursively defined 
in terms of the operations of nondeterministic choice ’-I-’ and prefixing ’a.’. 
Prefixing is a restricted form of sequential composition since a process a.P 
can be viewed as consisting of two processes: the one which terminates after 
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execution of the a-action, and the process denoted by P. The expressiveness 
of regular processes is necessarily limited since they may describe only finite- 
state systems, and hence, correspond to finite automata. Interpreted with 
respect to trace (language) semantics regular processes thus characterise the 
well-known class of regular languages. 

Beyond the finite-state case, the next natural class of interest is the class 
of context-free processes modelled by Basic Process Algebra (BPA) [BW90], 
a subalgebra of AGP. Here prefixing is replaced by general sequential compo- 
sition P ■ Q with the interpretation that the process denoted by Q may start 
reacting only after P has successfully terminated. This generalisation allows 
context-free processes to model, for instance, infinite counters or unbounded 
stacks, entities which can be found in many realistic systems. However, the 
enhancement to the expressive power gives also immediately rise to some un- 
decidable properties since there is an obvious correspondence between transi- 
tion graphs of context-free processes and leftmost derivations of context-free 
grammars. Consequently, the (completed) trace sets of context-free processes 
coincide with the class of context-free languages which is known to possess a 
number of undecidable properties itself. 

One may now be led to wonder what the correspondence will look like for 
transition graphs of pushdown automata, called pushdown processes in the 
area of concurrency theory. Clearly, trace semantics is then of minor interest 
as context-free grammars and pushdown automata are equally expressive 
concerning the languages they characterise. However, it turns out that in 
the finer setting of bisimulation semantics the class of pushdown processes 
strictly includes the class of context-free processes [CM90], and therefore 
builds a class of its own interest. 

In this monograph we shall explore in detail the class of pushdown pro- 
cesses by means of Pushdown Process Algebra (PDPA) [BS94], a process 
calculus we propose as the algebraic framework for this family of processes. 
Its main innovation is a generalised sequential composition operator incor- 
porating an additional control component. We shall develop some algebraic 
properties for pushdown processes and will show that they are the small- 
est extension of context-free processes up to relabelling that is closed under 
synchronised parallel composition with finite-state processes. 



1.2 Model Checking 

One of the most promising approaches to the verification of concurrent sys- 
tems is model checking. In this approach, one uses formulas of a temporal logic 
to specify the desired properties of a system and a decision procedure then 
determines automatically whether the start state of the system in question 
satisfies the given formulas. Although theoretically model checking is always 
applicable to finite-state systems, since an exhaustive traversal through the 
reachable state space of the system at hand can effectively provide enough 
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information to solve the verification problem, there exist practical limits in 
terms of the system size which can be handled. Unfortunately, systems made 
up of several concurrent components can easily reach these limits as the size 
of their global state space is, usually, exponential in the number of compo- 
nents. Despite this state explosion problem, for finite-state systems a number 
of automatic verification tools supporting a variety of model checking algo- 
rithms for different temporal logics have successfully been developed over the 
last decade [Mad92, CGL94]. 

Whereas model checking for finite-state systems is already well-established 
(cf. e.g. [EL86, CES86, Lar88, SW89, Win89, Cle90, CS92]), the theory 
for infinite-state spaces is a current research topic. Bradfield and Stirling 
[Bra91, BS92a], for instance, observed that tableaux-based model checking 
covers general infinite-state systems. However, their method is due to its 
generality not always effective. Therefore much research [CHS92, CHM93, 
HS93, BER94, Esp94, EK95] has aimed at identifying restricted classes of 
infinite-state processes which still allow automatic verification. 

One of the central results so far is the paper of Muller and Schupp [MS85] 
who proved that the theory of monadic second-order logic (MSOL) is de- 
cidable for the class of pushdown transition graphs. As a consequence, the 
model checking problem on pushdown transition graphs is decidable for the 
full modal /r-calculus, a powerful temporal logic which can be interpreted 
in MSOL. However, their decision procedure is nonelementary and thus not 
applicable to practical problems. 

We contribute to this field of research by developing an iterative model 
checking algorithm that decides the alternation-free part of the modal /x- 
calculus for pushdown processes [BS92b, BS94] in exponential time. The point 
of our algorithm is to consider a second-order variant of the standard itera- 
tive model checking techniques which operates on the Fisher-Ladner closure 
[FL79] of a given formula. It determines property transformers for the frag- 
ments of the pushdown automaton, which describe the set of subformulas that 
are valid at the start state of a fragment relative to the set of subformulas 
that are valid at its end states. Here the number of end states of a frag- 
ment, which actually coincides with the number of states of the finite control 
of the underlying pushdown automaton, determines the arity of the corre- 
sponding property transformer. Our new equation system-based algorithm 
elegantly realizes the corresponding computation. After the determination of 
these property transformers, the model checking problem can easily be de- 
cided. We simply check whether the formula under consideration is a member 
of the set of subformulas that results from applying the property transformer 
associated with the initial fragment of the pushdown automaton to the set 
of subformulas that are valid at the end states. 

Having settled the model checking problem for pushdown processes we 
shall prove that the set of states of a pushdown transition graph satisfying a 
formula of the /x-calculus is always regular. This result is a simple consequence 
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of the compositionality of second-order semantics and relies on an automata- 
based construction. 



1.3 Equivalence Checking 

Equivalence checking is a powerful alternative to model checking for the ver- 
ification of concurrent processes. It is based on the central notion of obser- 
vational equivalence which captures formally when two processes are said 
to exhibit the same behaviour (cf. [Gla90]). Equivalence checking assumes 
that the system SYS, as well as the specification SPEC, are given as process 
descriptions, usually, however, at different levels of abstraction. The system 
SYS is then proved correct with respect to the specification SPEC by simply 
showing SYS = SPEC for the equivalence = of interest. The observation that 
for finite-state systems all reasonable equivalences are known to be decid- 
able led to the development of a number of software tools supporting the 
automatic verification of such systems [Mad92, CGL94]. However, when con- 
sidering infinite-state spaces completely different methods are required, as the 
standard equivalence checking algorithms which are mainly based on exhaus- 
tive decision procedures fail to work, and decidability becomes an important 
issue. 

For example, from classical language theory it is known that language 
equivalence is decidable for regular systems, whereas the problem becomes 
undecidable if one moves further up in the Ghomsky-hierarchy to the class of 
context-free languages. In the “finer” process algebraic setting the situation 
is, however, different, as e.g. bisimilarity is decidable for normed context-free 
processes (BPA processes) [BBK87a], which are context-free processes that 
can terminate in finitely many steps at any point of the execution. This excep- 
tional property of the bisimulation equivalence led to an intense investigation 
(cf. [Gau90, Gro91, HS91, HT94, HM94]), which resulted in a polynomial time 
decision procedure for normed context-free processes [HJM94]. 

When trying to generalise these results to the unnormed case where also 
nonterminating processes are allowed it turns out that again completely new 
techniques are required, as the decomposition properties for the normed case 
fail to hold. Nevertheless, considering bisimulation bases B characterising the 
bisimulation equivalence as the least congruence w.r.t. sequential composi- 
tion containing B, Ghristensen, Hiittel and Stirling proved in [GHS92] that 
bisimulation is decidable also for unnormed context-free processes. The ex- 
istence of such a finite relation B can be exploited for a decision algorithm 
based on two semi-decision procedures: one for enumerating all possible re- 
lations B which may contain the pair (a,/3), and one for the enumeration of 
all non-bisimilar pairs of processes. 

In this monograph we shall improve on the result of Ghristensen, Hiittel 
and Stirling by showing how to compute recursively a bisimulation base B, 
and exploit it for the construction of an elementary bisimulation decision 
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procedure for arbitrary context-free processes [BCS95]. The key idea behind 
the construction of B is the determination of a new bound for the number 
of transitions needed to separate two normed non-bisimilar processes along 
the lines of [Cau89]. This bound allows the construction of an “initial” base, 
which subsequently must be refined by means of a fixpoint iteration similar 
to the one used in [HJM94] to obtain B. The decision algorithm is then 
completed by a straightforward branching algorithm. 



1.4 Organisation of This Book 

In this book we address the analysis and verification of infinite-state systems 
by means of syntactical, logical and semantical methods. This classification 
is also reflected in the organisation of this book which is in detail as follows. 

In Chapter 2 we lay the background for our work. We summarise the basic 
definitions and properties concerning ordered sets, lattice theory and fixpoint 
theorems which will be needed when developing our model checker. Moreover, 
we briefly introduce some notions from the theory of rewrite systems which 
are important for our bisimulation decision procedure for arbitrary context- 
free processes. Subsequently, we give the central facts about context-free lan- 
guages allowing to compare the setting of formal language theory with the 
framework of process theory for context-free structures. Next we shall intro- 
duce labelled transition graphs as our computational model and bisimulation 
as the behavioural equivalence we are interested in. The chapter closes by 
introducing the process calculus BPA modelling the class of context-free pro- 
cesses. 

In Chapter 3 we extend the class of context-free processes to the class of 
pushdown processes, thereby proposing the process calculus Pushdown Pro- 
cess Algebra (PDPA). We shall discuss equational laws for this process calcu- 
lus, and present a normal form theorem which allows to represent pushdown 
processes by means of recursive PDPA equations obeying some restricted 
format. Furthermore, we establish that pushdown processes are the smallest 
generalisation of context-free processes up to relabelling that is closed un- 
der parallel composition with finite-state systems. We close this chapter by 
presenting related work exploiting different formalisms for the description of 
pushdown processes. 

In Chapter 4 we present a model-checker that decides the alternation-free 
modal /x-calculus for context-free processes, as well as for pushdown processes. 
We shall deflne the modal ^-calculus used as our logical language for specify- 
ing system properties. We then extend the ordinary semantics of /x-formulas 
to the assertion-based semantics which turns out to be more suitable when 
considering decompositions of sequential processes. The dual point of view 
will lead us from the assertion-based semantics to the second-order semantics 
constituting the foundation of our equation based model checking algorithm 
which is subsequently presented. Finally, we shall give an automata-based 
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construction which proves the regularity of /i-formula semantics with respect 
to pushdown transition graphs. 

In Chapter 5 we develop an elementary algorithm for deciding bisimu- 
lation equivalence for arbitrary context-free processes. We shall introduce 
the notion of separability dealing with the complements of finite bisimula- 
tion approximations. We then present a branching algorithm for deciding 
bisimilarity of normed BPA processes which improves a similar tableaux- 
based proof system given by Hiittel and Stirling [HS91, Hiit91]. Hence, we 
exploit the branching algorithm for the development of a bound on the num- 
ber of transitions needed to separate two non-bisimilar normed context-free 
processes thereby extending work of Caucal [Cau89]. Finally, we shall give 
our bisimulation base construction algorithm which can be used to obtain a 
bisimulation decision procedure for arbitrary context-free processes. 

In Chapter 6 we summarise the results and give perspectives for further 
research. In particular, we outline relevant results which have been obtained 
since the submission of my Ph.D. thesis in summer 1995. 




2. Background 



2.1 Introduction 

In this chapter we present the background material needed in the rest of this 
monograph. We first review some basic definitions and results from lattice 
theory with a particular emphasis on fixpoint theorems, as well as from the 
theory of rewriting. We also recall some facts about formal language theory 
and consider in more detail the class of context-free languages. Then we 
introduce labelled transition graphs as the underlying models of concurrent 
systems and bisimulation equivalence as the notion of behavioural equivalence 
we are interested in. Finally, we define the class of context-free processes using 
the process calculus BPA. 



2.2 Fixpoint Theory 

The theory of fixpoints is applied in many areas of computer science, perhaps 
most prominently in the theory of denotational semantics of sequential pro- 
grams. In this monograph, however, fixpoint theory will provide the math- 
ematical basis for a different framework: the semantics of temporal logics 
which include fixpoint operators. Formulas of these logics will be interpreted 
with respect to a given model with the intended meaning that a formula will 
denote the set of states in the model where the formula holds. The semantics 
of the two fixpoint operators are then naturally defined as the appropriate 
fixpoints of a particular function associated with the formula at hand. 

In this section we summarise some of the basic definitions and properties 
of ordered sets, and give a brief introduction into lattice theory. The interested 
reader can find a more detailed elaboration of the field in e.g. [DP90]. 

2.2.1 Ordered Sets 

Definition 2.2.1. A partial order on a set M is a binary relation Q on M 
such that, for all x,y,z € M , 

1. X Q X 

2. X Qy and y Qx imply x = y 

O. Burkart: Automatic Verification of Sequential Infinite-State Processes, LNCS 1354 , pp. 9-31, 1997 
© Springer- Verlag Berlin Heidelberg 1997 
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3. X Qy and y Q z imply x Q z 

If Q is a partial order on M , we call M a partially ordered set ( or poset for 
short). 

Definition 2.2.2. A poset M is called a chain (or totally ordered setj if, 
for all x,y € M, either x Qy or y Q x. 

When considering maps between ordered sets in particular those which pre- 
serve the underlying structure will be of special interest. 

Definition 2.2.3. Let (M, Cm) and {N, C^v) be posets. A mapping f : 
M — > N is said to be monotone (or order-preserving j if, for all x,y G M, 

xQm y ^ f{x) Qn f{y) 

An important point to observe is that structure preserving maps are closed 
under functional composition. 

Lemma 2.2.1. Let f : M — > N and g : N — > O be monotone mappings. 
Then the composite mapping go f : M — > O, {go f)(x) =df g{f{x)) is also 
monotone. 

As usual, we will use the notation f{X) for { f{x) \ x G X} in the sequel. 

Definition 2.2.4. Let M be a poset and let X C M. Then x G X is said 
to be the greatest element of X if we have y Q x for all y G X. The least 
element of X is defined dually. 

This definition implies that the greatest (least) element of X is unique, if it 
exists. 

Definition 2.2.5. Let M be a poset. The greatest element of M, if it exists, 
is called the top element and denoted by T. Similarly, the least element of 
M is called the bottom element and written as _L. 

The following constructions of new posets from existing ones will be useful. 

Definition 2.2.6. Let Mi,... ,Mn be posets. The cartesian product M = 
Ml X ... X M„ can be partially ordered by the coordinatewise order defined 
by 

{xi,... ,x„) Qm {yi,--- ,yn) iff Xi^Miyi, foralll<i<n 
Given a poset M we use the abbreviation M” for the n-fold product M x 

... X M. 

Definition 2.2.7. Let M be any set and N be a poset. The set of all map- 
pings from M to N, denoted by {M — > N), can be partially ordered as 
follows 

fQg iff f{x) Qn g{x), for all X G M. 

If M itself is a poset, we may build the set of all monotone mappings from 
M to N, denoted by {M — > N), equipped with the above given ordering. 
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Definition 2.2.8. Let M he a poset and let X C M . 

— An element u € M is called an upper bound of X if x Qu for all x € X. 
A lower bound of X is defined dually. If b is an upper (lower) hound of X 
we will also write X C- b (b Q X). 

— An element x € M is called the least upper bound (or supremumj of X, 
denoted by sup X, if x is an upper bound of X and it is the least element 
of all upper hounds of X. The greatest lower bound (or infimumj of X is 
defined dually and denoted by inf X . 

Note that the least upper bounds and greatest lower bounds are unique, if 
they exist. We will use the following notations, provided the suprema and 
infima occurring exist. 



xUy 


=df inf {x,y} 


for the “meet” 


xUy 


=df sup {x,y} 


for the “join” , 


nx 


=df inf X, 


and 


UX 


=df sup X. 





We shall now concentrate on posets where the above operations are always 
defined. 

Definition 2.2.9. Let L he a nonempty poset. 

— If any two elements have a supremum and an infimum, L is called a lattice. 

— If the supremum and the infimum exist for all X C M , then L is called a 
complete lattice. 

Now it can be shown that every complete lattice has a top and a bottom 
element. Moreover, it is known that every finite lattice is complete. 

Important examples of complete lattices are the powerset of any set M, as 
well as the set of all mappings between two complete lattices. 

1. The powerset 2^ of any set M is a complete lattice where join and meet 
are given by 

U{X,C M \ iGl} 
n{X,CM \ iGl} 

2. Let M be an arbitrary set, and iV be a complete lattice. Then the set 
(M — >■ N) of all mappings from M and N is also a complete lattice with 
the usual pointwise ordering, and join and meet are given by 

U{ /* : M — ;> N \ i£ I }(a;) =jf U{ f^{x) \ i & 1} 
n{f,-.M ^ N \ i&I}{x) n{/,(x)|fG/} 

Ordered sets are often used to model approximations. Therefore, subsets 
which tend towards a limit are particularly interesting. 
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Definition 2.2.10. Let X be a nonempty subset of a poset M . X is called 
directed if, for every finite subset Y C X , there exists some x € X such that 
Y Qx. 

Definition 2.2.11. A poset M is called a complete partially ordered set 
(CPO) if 

1. M has a bottom element _L, and 

2. U D exists for each directed subset D of M. 

Examples of CPO’s are given by complete lattices which clearly satisfy the 
conditions given in the definition. 

In particular, when considering maps on infinite domains the property 
of structure preservation is often not enough. In these cases, a finer notion 
which takes into account the behaviour of mappings at infinity is needed. 

Definition 2.2.12. Let M,N be CPO’s. A mapping f : M — > N is called 
continuous if for each directed subset of M, 

/(U D) = U f{D) 

It can be proved that continuous mappings are closed under functional 
composition, and that continuity is a stronger notion for mappings than 
monotonicity. However, for mappings on finite domains both notions coin- 
cide. 

2.2.2 Fixpoint Theorems 

In theoretical computer science, solving equations can frequently be expressed 
as searching for a value x of an appropriate domain M such that cc is a fixpoint 
of some function / : M — i M, i.e. f{x) = x. Particularly, when M carries 
an order the additional structure plays an important role as it may be used 
to guide the search for solutions. In this case solutions are often obtained by 
computing successive approximations, and the overall computation process 
then aims in each step at increasing the information contents of these partial 
solutions until a complete solution, provided it exists and can be computed in 
a finite amount of time, is found. The theoretical foundations of this approach 
are formulated in a number of fixpoint theorems which explore the existence 
of fixpoints for different kinds of orders and different properties of the function 
/ under consideration. In the following we give the definitions we need in this 
monograph in order to develop our results. 

Definition 2.2.13. Let M be a poset and let f : M — >• M be a mapping. 
We say that x € M is a fixpoint of f if f{x) = x. Moreover, we call x a 
pre-fixpoint, respectively a post-fixpoint, if x C f{x), respectively f{x) C x. 
Note that the set of all fixpoints of f, denoted by Fix{f), may also be equipped 
with the order induced by M. The least (greatest) element of Fix{f), when it 
exists, is then denoted by p.f (vf). 
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When computing fixpoints the iterative application of functions plays a major 
role. Therefore, we define the n-fold composition of a function / : M — >■ M 
inductively by /° =df id,M and /” =jf for n > 1, where id,M denotes 

the identity function on M . 

Fixpoint theory is now based on the so-called fixpoint theorems. Here, 
we will only present the versions for continuous functions defined on CPO’s, 
and for monotone functions defined on complete lattices. For a more detailed 
survey, in particular about the history of various fixpoint theorems, the in- 
terested reader is referred to [LNS82]. 

Theorem 2.2.1. Let M he a CPO and f : M — >■ M he a continuous map- 
ping. Then 

m/ = U„>o rW, and vf = n„>o /"(T). 

The importance of this theorem lies in the fact that on finite domains 
where continuity coincides with monotonicity it allows to compute effectively 
the appropriate fixpoint by simply taking either the bottom or the top ele- 
ment, respectively, and then iteratively applying /. Monotonicity of / and 
finiteness of the underlying domain will then guarantee that this computation 
eventually terminates. 

Theorem 2.2.2 (Knaster, Tarski). Let L he a complete lattice and f : 
L — > L a monotone mapping. Then 

/r/ = n{xGL I f{x)Qx}, and i'f = \J{x€L \ xQf{x)}. 
Moreover, we have that Fix{f) is a complete lattice. 

The characterisation of the least and greatest fixpoint as the meet over all 
post-fixpoints, respectively the join over all pre-fixpoints, as given by Knaster 
and Tarski in the previous theorem allows immediately to use the following 
lemma in proofs where we have to show that a certain value is indeed the 
appropriate fixpoint we wanted to compute. 

Lemma 2.2.2. Let L he a complete lattice and f : L — > L a monotone 
mapping. Then we have, for all x € L, 

f{x) C X implies p,f Q x, and 

X E f{x) implies x Q vf 

2.3 Relations and Rewrite Systems 

The development of our algorithm for deciding bisimulation equivalence of 
arbitrary context-free processes (c.f. Chapter 5) relies on the computability 
of a certain bisimulation base B which characterises bisimulation as the least 
congruence which contains B. In this section we introduce the notions con- 
cerning relations and the theory of rewriting we need in order to establish 
this result. 
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2.3.1 Relations 

Let M be a set. A subset R C M x M is called a (homogeneous) relation on 
M. The domain dom{R) of a relation R is the set { a; | {x, y) G R}, whereas 
the image im{R) of a relation R is the set {y \ {x,y) & R}. 

Let i?i and i ?2 be two binary relations on M x M. The relational product 
of i?i and i? 2 , denoted by R\ o i? 2 , is defined as 

i?i o i ?2 =df {{x,z) I 3 y e M. {x, y) e Ri A {y, z) e R 2 } 

The n-fold product of R is defined inductively as =df { (x, x) | x £ M} 
and =df for n > 1. The transitive closure of R, denoted by i?+, 

is the relation 

A+ =df y i?”, 

n>l 

whereas the reflexive, transitive closure of R is defined by 

R* =df U R". 

n>0 

Moreover, the inverse of R is defined by R~^ =df { (y,x) | (x,j/) G i?} and 
the symmetric closure of R is the relation RU R~^. Finally, the reflexive, 
symmetric, transitive closure of R is defined by (i? U R~^)*. 

A relation R Q M x M is said to be an equivalence relation if 

— R is reflexive, i.e. (x, x) £ R for all x £ R, 

— R is symmetric, i.e. (x, y) £ R implies {y, x) £ R for all x,y £ M, and 

— R is transitive, i.e. {x,y) £ R and {y,z) £ R implies (x,z) £ R for all 
x,y,z £ M. 

2.3.2 Rewrite Systems 

Let M be a nonempty set and — >■ C M x M be a binary relation on M . Then 
{M, — >■) is called a rewrite system. 

As usually, we write x^y for (x,y) G — >■. We will also use the following 
standard notations: /-£ for the complement of — >■, — >■" for the n-fold product, 
— for the transitive closure, — >■* for the reflexive, transitive closure, for 
the inverse relation, gg for the symmetric closure, and finally, ££* for the 
reflexive, symmetric, and transitive closure. 

Much attention has been devoted to the word problem for rewrite sys- 
tems, i.e. the question whether we can decide x ££* y for a given rewrite 
system (M, — >■) and x,y £ M. Although it turned out that this problem is, in 
general, undecidable there exist for restricted classes of rewrite systems of- 
ten sophisticated decision procedures. In this monograph we focus on rewrite 
systems which have the property that each element of M can in a finite 
number of steps be rewritten into a unique normalform, as this property will 
guarantee decidability of the word problem. 
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Definition 2.3.1. Let (M, — >■) he a rewrite system. 

— X € M is called irreducible if x /-^y for any y G M , 

— y € M is said to be a normalform of x G M if x — >■* y and y is irreducible, 
> is called terminating if there does not exist an infinite sequence of 

rewrite steps Xq ^ Xi ^ , and 

> is called confluent if, for all x,y\,y 2 G M 

x^yi and x A t /2 implies 3 z G M such that A z and y 2 A z. 

Proposition 2.3.1. If {M,^) is terminating and confluent, then every x G 
M has a unique normalform, denoted by x f. Moreover, we have 

xG^y iff xf=yi 

The last proposition provides now, at least if (M, — >■) is terminating and 
confluent, an effective procedure to solve the word problem for two words x 
and y as follows. 

1. Compute the normalforms of x and y. Note that this process must termi- 
nate since (M, — >■) is terminating, as well as that it must produce uniquely 
deflned results since (M, — >•) is also confluent. 

2. Compare for syntactical identity. 

Finally, we mention that M is frequently the set of words over some 
alphabet S. A binary relation R C S* x E* then induces a rewrite relation 
-Gfi as follows. 

-G =df { {xuy, xvy) \ (u, v) G R and x,y G E* } 

R 

In this case, we call {E* , R) a word rewrite system. For a word rewrite system 
{E*, R) the reflexive, symmetric, transitive closure is always a congruence 
relation, i.e. it is an equivalence relation which additionally satisfies 

mAu implies xuyGGxvy, for all x, y G A*. 

R R 

2.4 Context-Free Languages 

In this section we introduce context-free grammars and pushdown automata 
as description mechanisms for context-free languages. Finally, we give some 
decidability results concerning this class of formal languages. Detailed expo- 
sitions of the related theory can be found e.g. in the classical books [Har78] 
and [HU79]. 

Definition 2.4.1 (Context-Ftee Grammar). 

A context-free grammar is a quadruple Q = {V,E,P,S), where V is a finite 
set of nonterminals, E is a finite set of terminals, P is a finite set of pro- 
ductions, each having the form A — >■ a, where A is a nonterminal and a is 
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a word over V LI U, and S is a distinguished nonterminal, called the start 
symbol. 

For each context-free grammar Q = {V, U, P, S) the derivation relation 
is defined by 

aAfd 07/3 iff A — >• 7 is a production of P and a, P € {V U F')*. 
Q 

The special case when a = e is called a leftmost derivation. Writing 
for the reflexive and transitive closure of the language generated by Q, 
denoted by is defined as 

=df {«;€ r* I S^w}. 

Q 

We call L C E* a, context-free language, L — C{Q) for some context-free 
grammar Q. A useful simplification of context-free grammars which does not 
reduce the generative power is the reduction to Greibach Normal Form. 

Definition 2.4.2 (Greibach Normal Form). 

A context-free grammar Q = (V, E, P, S) is said to be in Greibach Normal 
Form ( GNF) if each production of P is of the form A — >■ aa, where AllV, 
a € E and a G V* , i.e. each right-hand side starts with a terminal and is 
followed by a sequence of nonterminals. 



Now context-free grammars in GNF are as expressive as general context- 
free grammars since it can be proved that for every context-free language L 
which does not contain e there exists a context-free grammar in GNF that 
generates L. An alternative, machine based characterisation of context-free 
languages is given by the notion of a pushdown automaton. 

Definition 2.4.3 (Pushdown Automaton). 

A (nondeterministic) pushdown automaton^ (PDA) is a 6 -tuple 

-4= (Q,r,E,'d,qi,Zi), 

where Q is a finite set of (control) states, P is a finite set of stack symbols, 
E is a finite set of terminals, qi G Q is the initial state, Z\ G P is the initial 
stack symbol and d, the transition function, is a mapping from Q x {E U 
{ e}) X F to the finite subsets of Q x P* . 



The operational behaviour of a pushdown automaton A is formalised by 
the binary relation h_4 over configurations of A which capture the current 
internal state of the automaton together with the remaining input during a 
computation. We define for a G E,w G E*, q G Q, Z G P and 7 G F* 



(q,Z"f,aw) h 
A 



{q', Pj, w), if {q', P) G ■d{q, a, Z) 
(q',Pj,aw), A (q',P) G '&{q,e,Z) 



^ Since we will only consider acceptance by empty stack, we omit the otherwise 
needed set of final states. 
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If denotes the reflexive and transitive closure of the language 
accepted (by empty stack) by A, written as L{A), is defined by 

* 

C{A) =dt {w £ S* I (qi,Zi,w) h {q, e, e) for some state q }. 

A 

Now it is a well-known fact that the class of languages accepted by PDA’s 
coincides with the class of context-free languages. Moreover, it can be shown 
that the inclusion and the equivalence problem for context-free languages 
are undecidable, i.e. there does not exist any algorithm which decides for 
two arbitrary context-free grammars Qi and Q 2 whether C{Qi) C C{Q 2 ), or 
£{Gi) = £{ 02 ), respectively. However, the situation looks somewhat different 
in the subclass of “simple” languages. 

Definition 2.4.4 (Simple Grammar). 

A context-free grammar Q — (V, S, P, S) in GNF is said to be a simple 
grammar if for all A £ V, a £ S and a, P £ V* we have: 

A — >■ aof and A ^ aP implies a = P 

A language L C E* is then called simple, if L = £{Q) for some simple 
grammar Q. 

Simple grammars have, in contrast to arbitrary context-free grammars, 
the pleasant property that they are deterministic in the sense that for any 
combination of a nonterminal to be expanded and a terminal to be gener- 
ated there is only a single production which can be applied. Although this 
restriction eliminates any nondeterminism it turns out that for this subclass 
of context-free languages the inclusion problem is still undecidable [Fri76]. 
However, as worked out by Korenjak and Hopcroft [KH66] the equivalence 
problem now becomes solvable. Remarkably, the best algorithm known today 
for testing language equivalence of simple grammars has been obtained as a 
particular instance of an algorithm for checking bisimulation equivalence of 
normed context-free processes developed by Hirshfeld, Jerrum, and Moller 
[HJM94]. 

Finally, we mention the class of deterministic context-free languages which 
are accepted by deterministic pushdown automata with final state set. The 
question whether equivalence is decidable within this class of languages which 
lies strictly between the class of simple languages and the one of context-free 
languages is still an out-standing problem. 



2.5 Processes and Labelled Transition Graphs 

One of the main objectives of concurrency theory is to develop mathematical 
frameworks which allow to model the behaviour and interaction of objects. 
The hope is that a clear mathematical description of the complex phenomena 
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which may occur when objects interact will ease the understanding of and 
the reasoning about the overall behaviour of systems. In this setting a process 
stands for the mathematical abstraction of the interactions between a system 
and its environment. 

A common approach in concurrency theory is to base the intended math- 
ematical theory on a language or calculus which allows to describe processes 
as terms of a particular algebra, and then to define in a second step the 
operational semantics of the denoted process in terms of labelled transition 
graphs. These labelled transition graphs model the underlying semantics by 
using the fundamental concepts of state and change of state. 

Definition 2.5.1 (Labelled Transition Graph). 

A labelled transition graph is a triple (5, Act, — >■) consisting of 

— a set of states S, 

— a set of actions Act, and 

— a transition relation — >■ C 5 x Act x S. 

Intuitively, a labelled transition graph encodes the operational behaviour 
of a reactive system. The set S represents the set of states the system may 
enter. Act the set of actions the system may perform, and — >■ the state transi- 
tions that may result upon execution of the actions. With this interpretation 
the abstract concept of a process can more concretely be identified with a 
state of a labelled transition graph. 

In the remainder of this monograph we will use the standard notations 
concerning labelled transition graphs as follows. If (5,Ac<,— >■) is a labelled 
transition graph, we shall write s A s' for (s, a, s') G— >■. As usual, we extend 
the transition relation by reflexivity and transitivity to allow s A s' for 
w G Act*. If no transition evolves from s, denoted by s A> ^ is said to be 
terminating. If s — >■ s' we call s' a successor of s. A labelled transition graph is 
called finitely branching if for each state s the set { s — >■ s' | a G Act, s' G 5 } 
is finite, and is called finite-state (or regular) if the set of states and the set 
of actions are finite. To emphasise that a labelled transition graph T has a 
distinguished initial state s, we will call T a rooted labelled transition graph 
with root s. 

In this monograph we shall particularly be interested in processes which 
are sequentially composed. Intuitively, such processes consist of several se- 
quential components each with a distinguished entry point, the start state, 
and possibly multiple end states representing successful termination. 

In general, sequential components Pi and P 2 may be connected by fusing 
an end state of Pi with the start state of P 2 . This fusion reflects the intended 
behaviour that the second component may start reacting only after the first 
one has successfully terminated and reached the end state where P 2 was 
connected. In terms of labelled transition graphs this notion is made precise 
as follows. 
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Definition 2.5.2 (Sequential Labelled Transition Graph (SLTG)). 

A sequential labelled transition graph 

T = (S, Act, -)>, So, (si, . . . , s„)) 
of arity n is a labelled transition graph where 
~ So is a distinguished state, the start state, and 

— Si, . . . , s„ are end states which are terminating, i.e. Si -/A, for \ <i <n. 

For ease of presentation, we will assume that start states of SLTG’s possess 
no in-going transitions. This is no severe restriction since an SLTG T where 
some transitions leading to the start state exist may be transformed into an 
SLTG 'V complying with the assumption by introducing a new start state s 
equipped with the same out-going transitions as the original one. This way 
we obtain the sequential labelled transition graph 

T' = (5 U { s }, Act, — >■ U { s A s' I So A s' for some s' G 5 }, 

S, (si, . . . , Sn)) 

which clearly obeys the restriction. Goncerning any reasonable behavioural 
equivalence there should be no difference between T and T' . 

Furthermore, incorporating the possibility of termination in one of mul- 
tiple end states will allow us later on to use sequential labelled transition 
graphs for the modelling of transition graphs of pushdown automata. In this 
case termination will correspond to having reached the empty stack, while the 
finite control of the pushdown automaton determines the end state reached. 
Motivated by this behaviour of a pushdown automaton we define the sequen- 
tial composition of SLTG’s in the following particular way. 

Definition 2.5.3 (Sequential Gomposition). 

The sequential composition of n -\- 1 sequential labelled transition graphs 

Ti — (A, Act, ^i, Sio, (Sil, . . . , Siri)'), 0 ^ t ^ 71 , 

denoted by 7o;(7i,--- ,Tn), is defined as the sequential labelled transition 
graph obtained by fusing, for 1 < i < n, the i-th end state of To with the start 
state ofTi resulting in the state Si, as well as fusing, for 1 < i < n, the i-th 
end states o/ 7i , . . . ,Tn resulting in a state e* . 

There are two things to note about this choice of definition for sequential 
composition: first that all SLTG’s involved must have the same arity, and 
second that end states of 7i, • ■ • , A which occur at the same position are 
identified. Both properties together will ensure that SLTG’s of a fixed arity 
71 are closed under sequential composition. 

To demonstrate this concept we illustrate in Figure 2.1 the sequential 
composition of labelled transition graphs with arity 2. 
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Fig. 2.1. Sequential composition of labelled transition graphs with arity 2. 



2.5.1 Behavioural Equivalences 

In order to capture when two processes are said to exhibit the same be- 
haviour an abundance of equivalences have been proposed in the literature. 
Most of them have been classified by van Glabbeek [Gla90] into a hierar- 
chy of behavioural equivalences ordered according to how many identifica- 
tions between processes they make. The finest equivalence in this hierarchy 
is bisimulation equivalence proposed by Milner and Park [MilSO, ParSl]. In 
particular, after the introduction of Milner’s Galculus of Gommunicating Sys- 
tems (GGS) [Mil89] bisimulation evolved as an important theoretical notion, 
and now forms the foundation of a whole theory. 

Definition 2.5.4 (Bisimulation Equivalence). 

A binary relation R between processes is a bisimulation if whenever (p, q) € R 
then, for each a G Act, 

1. p p' implies 3 q' . q q' A (p', q') € R 

2. q q' implies 3 p'. p p' A (p', q') G R 

Two processes p and q are said to be bisimulation equivalent or bisimilar, 
written p ~ g, if (p, q) G R for some bisimulation R. In [Mil89] it is shown that 
~ is the largest bisimulation and that it is an equivalence relation. Henceforth, 
[p]r^-p will denote the bisimulation equivalence class of some process p with 
respect to a set of processes V. 

Bisimulation may be further generalised to the notion of bisimulation up 
to which turns out to be useful in proofs for bisimilarity (cf. [Mil89]). Note 
that ~ i? ~ will denote the composition of the three binary relations R, 
and 
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Definition 2.5.5 (Bisimulation Up To). 

A binary relation R between processes is a bisimulation up to ~ if whenever 
{p, q) € R then, for each a G Act, 

1. p p' implies 3 q' . q q' A {p', g') G ~ i? ~ 

2. q q' implies 3 p'. p p' A {p' , q') G ^ R ^ 

The importance of bisimulations up to ~ follows from the fact that R C~ 
whenever i? is a bisimulation up to Thus in order to show that two pro- 
cesses p and q are bisimilar it suffices to prove that the pair (p, q) is contained 
in some bisimulation up to 

Compared to bisimulation equivalence which takes into account for in- 
stance the notion of deadlock, livelock or causality classical language equiv- 
alence is rather coarse since it ignores the branching structure of processes. 
Nevertheless, in the special case of normed and deterministic processes which 
will be introduced in the next subsection we may apply results and proof tech- 
niques concerning language equivalence known from formal language theory. 

Definition 2.5.6 (Language Equivalence). 

Let {S, Act, — >■) be a labelled transition graph. The language generated by a 
process p G S, denoted L{p), is defined as 

C{p) =df { w G Act* I p ^ p' yA for some p' } 

Two processes p and q are said to be language equivalent iff L{p) = L{q) . 

As well as one can safely eliminate useless productions in grammars with- 
out changing the generated language, also in this setting only terminating 
processes may contribute to the generation of languages. With each class 
of processes /C we associate now the class of languages T(/C) defined by 
{C{p) I pGK.}. 

2.5.2 Normedness and Determinism 

Although processes often represent continuously reacting systems it is some- 
times also desirable that they possess an option to terminate. The notion of 
norm is then a measure for how fast this can happen. 

Definition 2.5.7 (Norm). 

The norm of a process p, written as ||p||, is the length of the shortest tran- 
sition sequence from p to a terminating state. If a process p cannot reach a 
terminating state its norm is defined to be infinite. A process is said to be 
normed if its norm is finite, and is called strongly normed if any successor 
is normed. Finally, a transition p ^ p' of a normed process p is called a 
norm-reducing transition z/ | |p'| | = | |p| | — 1. 




22 



2. Background 



Note that bisimulation equivalence always respects the norm, i.e. we have 
implies ||p|| = ||g||. 

A different property associated with processes concerns the notion of de- 
terminism. In general, labelled transition graphs are nondeterministic, i.e. 
processes can have more than one successor labelled with the same action a. 
This feature is crucial since in process calculi parallelism is often reduced to 
nondeterministic interleaving of actions. However, from a theoretical point of 
view it is quite natural to explore also the subclass of deterministic labelled 
transition graphs, as defined by Milner [Mil89]. 

Definition 2.5.8 (Deterministic Labelled Transition Graphs). 

A labelled transition graph (5, Act, — >■) is deterministic (up to bisimilarity) 
iff, for all states p in S, we have that p p' and p A p" implies p' ~ p" . 
As usual, a process p is called deterministic if it belongs to a deterministic 
labelled transition graph. 

Now it is easy to show that language equivalence and bisimulation equiva- 
lence coincide for deterministic labelled transition graphs where every vertex 
is normed. One direction of the proof follows immediately from the fact that 
bisimulation is contained in language equivalence, while the other is straight- 
forwardly shown by proving that 

{ (p, q) I C{p) = L{q) and p, q strongly normed and deterministic } 

is a bisimulation. Hence, any bisimulation decision procedure for a class of 
processes 1C is also an algorithm for deciding language equivalence on the 
class of languages C{lCdet) where K-det denotes the deterministic fragment of 
1C. 



2.6 Context-Free Processes 

Since the beginning algebraic frameworks have played an important role in 
the study of concurrent communicating processes. Of paramount influence 
has been the Calculus of Communicating Processes (CCS) introduced by 
Milner [Mil80, Mil89], but also other calculi have contributed significantly 
to the better understanding of the complex phenomena which may occur in 
concurrent systems. Here we mention only the Algebra of Communicating 
Processes (ACP) which was first presented by Bergstra and Klop in [BK84]. 
ACP is an equational specification which has in its signature a constant 
6 for deadlock, as well as operators for nondeterministic choice, sequential 
composition, asynchronous parallel composition (called merge), synchronous 
parallel composition (called communication merge), and encapsulation. 

Although the combination of these operators admits to model concisely 
very complex real-world systems, it hides at the same time the underlying 
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properties of single operators to a certain degree. Consequently, a number 
of subcalculi have been considered, focusing only on a few operators. In the 
case of AGP, the most prominent ones are maybe the Process Algebra (PA) 
[BW90] which has only the operators for nondeterministic choice, sequential 
composition, and merge, together with its two subcalculi Basic Parallel Pro- 
cesses (BPP) [Chr93] where sequential composition is replaced by prefixing, 
and Basic Process Algebra (BPA) [BBK87a] where the merge is omitted. 

In this section we introduce the latter calculus, i.e. the theory Basic Pro- 
cess Algebra and its extensions BPA^, BPA^, and BPA^^. Although we will 
mainly deal with “pure” BPA specifications in the remainder of this mono- 
graph we chose to introduce also its extensions in greater detail since they 
may serve as a good motivation for our definition of Pushdown Process Al- 
gebra (PDPA) given in the next chapter. 

2.6.1 Syntax and Semantics 

BPA can be interpreted as an equational specification BPA = (Abpa, Abpa) 
where 

— Abpa is a signature containing the binary operators -I- and •, as well as a 
set of constants Act, and 

^ ^'BPA is a set of equations (or axioms), called the BPA laws, given in Table 

2 . 1 . 



A 1 : 


El + E2 


= E2 -\- El 


A 2 : 


(El -I- E2) -\- E3 


= El -\- {E2 -\- Ez) 


A 3 : 


El -\- El 


= El 


A 4 : 


(El -t E2) ■ E3 


= El ■ Ez -\- E2 ■ Ez 


A 5 : 


(El ■ E2) ■ E3 


= El ■ {E2 ■ Ez) 



Table 2.1. The BPA laws. 



The operator -|- is interpreted as nondeterministic choice while • denotes 
sequential composition - henceforth we usually omit the •. Moreover, we use 
the convention that • binds stronger than -I-. Intuitively, the BPA laws express 
the commutativity, associativity and idempotence of -I-, right distributivity 
of • over -I-, and associativity of •. 

As it is standard in process calculi the operational semantics of BPA 
expressions is defined in terms of action relations which are often given in 
the style of structural operational semantics, introduced by Plotkin [Plo81]. 
In this monograph we will follow the presentation given in [BW90]. 
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To start with, let A, for each a € Act, be a binary relation over BPA 
terms where t t' denotes that t can perform an a-action and thereby turn 
into t' . Moreover, we introduce, for each a G Act, the unary predicate -G y/ 
over BPA terms. The intention of t A A is that t terminates after execution 
of an a-action. Accordingly, the symbol y/ denotes successful termination^. 
The action relations for BPA are given in Table 2.2. 





a , A A M 

EE Ay F 


E Ay E' 
EE Ay e'F 




AAy 


AAy 


E Ay E' 


F Ay F' 


E + F^y/ 


A-kA A y 


E-\-F Ay E' 


E + F Ay F' 



Table 2.2. Action relations for BPA. 



Thus far, successful termination can only be dealt with implicitly in the 
theory BPA. However, it is also possible to add successful termination explic- 
itly to BPA yielding the proper extension BPAg. In fact, we will go one step 
further by introducing the distinction between successful and unsuccessful 
termination which will play an important role when considering sequential 
composition in greater detail. The idea is that the second component of a 
process E 1 E 2 can only start execution, if Ei has successfully terminated. 
Otherwise, in case of an unsuccessful termination of E\, we also say that Ei 
has deadlocked and thus does not allow E 2 to proceed. 

The two different kinds of termination are modelled in our theory by 
introducing the new constants e for the process that may only successfully 
terminate (also known as the empty process) and 6 for deadlock, respectively. 

We obtain the theory BPA^^ = (AepAjj, ^ lBPAje)> ^ nontrivial extension 
of BPA, where 

— AppA^e has the binary operators -k, •, a set Act of constants and the special 
constants 6 and e with 8,e Act, and 

— EbpAsc consists of the equations given for BPA in Table 2.1 and the new 
axioms given in Table 2.3. 

In order to give the action relations for BPA^g the termination predicate 
A y/ will be split into the transition A £ and the successful termination 
e 4 , where the unary predicate f indicates that the process has an option 
to terminate^. In contrast, the introduction of deadlock into BPA does not 

^ To simplify the presentation, instead of y/ often the empty word e is used to 
represent successful termination with the convention that eE = Ee = E. 

® This notion of termination option will further be rehned when introducing the 
process calculus PDPA in the next chapter. 
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A6 : 


E + S 


= E 


A7 : 


5E 


= 5 


A8 : 


Ee 


= E 


A9 : 


eE 


= E 



Table 2.3. Deadlock and the empty process. 



require a change in the action relations since it may not perform any action, 
and moreover, blocks even processes following in a sequential composition 
as stated by the axiom A7. The action relations of BPA^g are now given in 
Table 2.4. 



Ei Fi Ei,Fi 

(F + F)i (E + F)i (EF) 4 

^ Ei,F^F' E^E' 

EE 4 T' EE E'F 

E -A E' F F' 

E + F^ E' E + FA^F' 



Table 2.4. Action relations for BPA^g. 



By themselves BPA^g expressions do not provide much expressive power 
since they may describe only finite processes. To remedy this lack of expres- 
siveness, we introduce recursion to BPA^g by means of recursive equations 
X = t{X) where A is a process variable and t{X) is a BPA^ term with free 
variable {A}. BPAg^ specifications are then a straight-forward generalisa- 
tion^ . 

Definition 2.6.1. A BPA^g specification C is a quadruple {V,Act,£,Xi) 
consisting of 

— a finite set of process variables or nonterminals V = { Ai, . . . , A„ }, 

— a finite set of actions or terminals Act, 

— a finite set of recursive process equations £ = {X^ =jf Ei \ 1 < i < n}, 
where each Ei is a BPAse expression with free variables in V , 

— a variable X\ G V , called the root. 



^ A BPAie specification is the process theory analogon to a context-free grammar 
in formal language theory. 
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If V, and Act are clear from the context we will occasionally present a 
specification merely by its equations where we adopt the convention that the 
first variable represents the root. 

The semantics of a specification will later be defined as the set of all 
processes in the underlying model which satisfy the given equations. One 
possible way to interpret the existence of multiple solutions is then to consider 
the given specification as being only partial. For example, the trivial equation 
X = X of which every process is a solution does not specify anything at 
all. Of more interest are therefore specifications which determine uniquely a 
process. A useful, syntactical criterion that will guarantee this property is 
guardedness. 

Definition 2.6.2 (Guardedness). 

We call an occurrence of a variable X in a BPAg^ term t guarded if t has a 
subterm a.t' such that a is an atomic action and t' contains the occurrence 
of X . A BPAse term t is guarded if every variable occurrence is guarded, and 
a BPAse specification is guarded if each Ei is guarded, for 1 < i < n. 



This definition of guardedness may further be relaxed by calling a term 
semantically guarded if it can be rewritten using the BPA, 5 e axioms to a 
(syntactically) guarded term. Analogously, a BPA^e specification C is said 
to be semantically guarded if it is possible to rewrite C to a guarded BPA^g 
specification using the axioms and by (iterative) replacement of variables by 
their defining right-hand sides. 

Finally, recursion is dealt with in the action relations for BPA^g (and BPAg) 
by introducing the following rules. 



Ej 

X i 



x = Ees 



E A E' 

A 4 A' 



X = E€S 



Besides extending BPA with both kinds of termination simultaneously, it 
is also possible to consider the single extensions BPA^ and BPA ,5 on their 
own. Of greater interest for us will be BPA^ which is defined by the BPA 
laws given in Table 2.1 and the axioms A6, A7 of Table 2.3. The action rules 
for BPAi coincide with those of BPA, and thus are already given in Table 
2.2. Moreover, they are extended to handle also recursion by the rules 



a4 4 
a44 



x = Ees 



E^E' 
X A E' 



x = E es 



Since all the definitions given for BPA^^ can straight-forwardly be adapted 
to the weaker settings of BPA, BPAg, and BPA^ we will henceforth use the 
adapted notions without giving further definitions. 
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BPA, or one of its extensions, may now be interpreted in a number of 
models. Of particular interest are, however, models of which BPA is a com- 
plete axiomatisation since then an equation between closed terms is valid 
in the model iff it is derivable from BPA. In this monograph we will focus 
on the so called graph model G/ ~ for BPA, as well as BPA^. G/ ~ is as 
proved in [BW90] a complete model for BPA and consists of the set of finitely 
branching rooted transition graphs factorised by bisimulation. 

Definition 2.6.3 (Operational Semantics). 

The operational semantics of a guarded BPA specification (V,Act,S,Xi) is 
given by the labelled transition graph (P*,Act, — >■) rooted at Xi where the 
transition relation — >■ is given by the action relations for BPA on V* x V* . 
The process defined by Xi is then also called context-free. 

It can be shown that in this graph model any guarded BPA specification 
has a unique solution up to bisimulation equivalence [BK84]. Furthermore, 
for ease of presentation, it is useful that we can restrict our attention to BPA 
specifications in a certain normal form. 

Definition 2.6.4 (Greibach Normal Form). 

A BPA specification (P, Act, f, Ai) is said to be in Greibach Normal Form 
( GNF) if all defining equations are of the form 

rrii 

Xi =df ^ a^jaij, for I <i <n 
i=i 

where onj € V*. If, moreover, each variable sequence Uij has length of at 
most K the BPA specification is said to be in AT-Greibach Normal Form 
(K-GNFfi. 

Note that BPA specifications in GNF have the nice property that a tran- 
sition step in the operational semantics corresponds directly to a leftmost 
derivation step in the related grammar. As the following Normal Form The- 
orem [BBK87b, Hiit91] shows we may henceforth assume wlog. that BPA 
specifications are always given in GNF, since any guarded BPA specification 
which is not in GNF may effectively be transformed up to bisimilarity into a 
BPA specification satisfying this condition. 

Proposition 2.6.1. Any guarded BPA specification C = {V,Act,£,X) can 
effectively be transformed into a BPA specification C = {V , Act,£' ,X') in 
2-Greibach Normal Form, such that X ^ X' . 

By means of this proposition and the correspondence between BPA spec- 
ifications in GNF and context-free grammars in GNF it is now possible to 

® Note that some authors call this restricted format K + 1-Greibach Normal Form 
as they include the action a when considering the length of a right-hand side 
expression. 
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establish that languages generated by BPA processes are always context-free. 
Hence, we may conclude from the undecidability of language equivalence for 
context-free languages mentioned in Section 2.4 that language equivalence is 
also undecidable for BPA specifications. In fast, all behavioural equivalences 
in the van Glabbeek linear-time/branching hierarchy [Gla90] except bisimu- 
lation equivalence are undecidable for BPA [GH94]. By reduction from the 
problem of language inclusion for simple grammars, which was shown unde- 
cidable by Friedman [Fri76], the same holds for the corresponding preorders. 

We close this section by remarking that the BPA laws are easily shown 
to be sound with respect to bisimilarity [BK88]. 



Proposition 2.6.2. For any BPA expressions Ei,E 2 and E^ we have that 



El E2 
{El E2) E^ 
El El 
{El + E2)E^ 
{EiE2)E^ 



E2 + El, 

El + {E2 + E3), 

El, 

EiE^ + E 2 E 3 , and 

£-1(^2 A3). 



Given a BPA specification C = {V,Act,£,X), we shall use X,Y,... to 
range over variables in V and Greek letters a,j3,... to range over elements 
in V* . For technical convenience, we use e to denote the empty variable 
sequence with the convention ea = ae = a. Moreover, the function | . | gives 
the length of a sequence. Finally, we shall often give a BPA specification by 
simply presenting £ with the convention that the first variable represents the 
root. 



2.6.2 Normedness 

In the sequel we shall distinguish normed and unnormed BPA specifications. 
As usual, a BPA specification is said to be normed if all variables are normed 
and it is called unnormed otherwise. In fact, the norm of variables and there- 
fore the normedness of BPA specifications can easily be determined by a slight 
variant of Dijkstra’s shortest path algorithm. Moreover, we want to point out 
that in normed BPA specifications all processes defined by some variable are 
even strongly normed, while variables in unnormed BPA specifications define 
not only unnormed, but also normed processes. 

Although the class of processes defined by normed BPA specifications does 
not fully include the class of regular processes related research has proved 
to be valuable since it may serve as a starting point for studying general 
BPA processes. In the remainder of this section we shall state some well- 
known properties of normed BPA processes. In particular, normedness of 
BPA processes allows to take advantage of some important cancellation rules 
which build the basis of all bisimulation decision procedures known for this 
class of processes. 
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To start with, we observe that the norm is additive wrt. sequential com- 
position, i.e. \\a(}\\ = ||q;|| -I- ||/3||, and that bisimulation equivalence is a 
congruence relation wrt. sequential composition, i.e. we have 

af3 ~ a' (3' whenever a ^ a' and (3 ^ (3' . 

Lemma 2.6.1 (Cancellation rules for normed BPA). 

Let a, (3 and 7 be normed. Then 

1. 7 a ~ 7/3 implies a ~ /3 and 

2. a'j ~ (3^ implies a ~ /3. 

Note however that both implications of the cancellation lemma are invalid 
for unnormed processes as demonstrated by the following examples: 

1. Let X = a + aX + oY and Y = hY then we have XY ~ XXY but 
Y / XY. 

2. Let X = a and Y = oY then we have XY ~ XXY but X / XX. 

Both counterexamples are shown for illustration in Figure 2.2. 



O a O a 

Y - XY^ XXY 



y t 

YY YXY 

o o 

b b 



XXY XX 

a a 

y y 

XY X 



y 

Y 



o 



a 



y 

e 



Example 1 



Example 2 



Fig. 2.2. Examples that cancellation does not hold for unnormed BPA processes. 



A crucial property of normed BPA processes which is based on the previous 
cancellation rules is now stated in the following splitting lemma given first 
by Caucal [Cau90]. 

Lemma 2.6.2 (Splitting rule for normed BPA). 

LetXa,Yf3&V^ he normed such that \\X\\ < \\Y\\. Then 

Xa ^Y (3 iff A 7 ~ Y and a ~ 7/3 for some 7 . 
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By means of this splitting lemma the problem of proving Xa ^ Y /3 can thus 
be reduced to the “smaller” subproblems of proving ^ Y and a ~ 7/3. In 
fact, all recently obtained algorithms for deciding bisimulation equivalence 
for normed BPA processes [Cau90, Gro91, HS91, HT94, HM94] rely on this 
reduction. 

Finally, we mention that in the presence of unnormed processes we only have 
the following trivial right-cancellation rule. 

Lemma 2.6.3 (Right-cancellation rule for unnormed BPA). 

If X is unnormed, then aX(3 ~ aX. 

2.6.3 Self-bisimulations 

In order to prove bisimilarity of two processes p and q it suffices to exhibit a 
bisimulation relating p and q. However, since this task is sometimes difficult 
to accomplish another proof technique introduced by Caucal [Cau90] is often 
useful. 

Definition 2.6.5. Given a binary relation R between proeesses we define 
p q if for each a € Act, 

1. p p' implies 3 q' . q q' A p' q' , and 

2. q q' implies 3 p'. p p' A p' q' . 

A binary relation R between processes is then said to be a self-bisimulation 

tfR Q =R- 

The importance of self-bisimulations is now revealed by the following lemma 
which was first proved in [Cau90] . 

Lemma 2.6.4. If R is a self-bisimulation then ojj C 

Intuitively, the lemma states that solving the word problem for a self- 
bisimulation R and two processes p and q is already sufficient to establish 
bisimilarity of p and q. Interestingly, the proof of Caucal even shows that 
itself is a bisimulation whenever i? is a self-bisimulation. We therefore have 
also the following equivalence. 

Corollary 2.6.1. R is a self-bisimulation iff is a bisimulation. 

Finally, we close this section by proving the additional properties that =n 
is transitive, as well as a right-congruence with respect to sequential compo- 
sition. Both properties are needed when developing our branching algorithm 
for deciding bisimilarity of normed context-free processes in Section 5.4. 

Lemma 2.6.5. Let R be a binary relation between processes. Then we have 

1- Pi =R P 2 and P 2 =R Pz implies pi =r pz, and 
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Pi =R P2 implies piq =r p2q. 

Proof. To prove the first part of the lemma let pi =r p2 and p2 =r Ps- 
Assume that pi — >■ p{ for some action a and some process p'^. Due to pi =r p2 
we know that p2 A p'2 for some p'2 such that p[ Moreover, from p2 =r 

Pz we deduce the existence of some process p'^ which satisfies pz A p'z and 
P2^*rP'z- Now the transitivity of ojj yields p'\^*rP'z- The other direction 
that pz A p'z implies pi A p'l and p'l ^*rp'z for some p'^ is shown in a similar 
way. 

For the proof of the second part observe that pi and p2 must either be 
both the empty process or we have pi,P2 ^ s. Since in the first case the lemma 
obviously holds we assume pi,P2 ^ £, and p\q — >■ p'^q for some a,pp As this 
transition is then due to pi A p'^ we conclude from pi =r P2 that P2 A p'2 
and p'i-^*rP'2 for some P2- This yields p2<? A P29 and by the congruence 
property of ojj also p'iq-^Rp'2q- As the other case for p2q A P29 is shown 
analogously this completes the proof. □ 




3. Pushdown Processes 



3.1 Introduction 

From “classical” language theory it is well-known that context-free grammars, 
as well as pushdown automata both characterise the class of context-free 
languages. In the setting of bisimulation semantics, however, the situation 
looks different as Caucal and Monfort have shown in [CM90] that the class 
of labelled transition graphs generated by pushdown automata is strictly 
larger than the class of labelled transition graphs generated by context-free 
grammars. This result obviously raises the questions 

— what are the new structural properties of pushdown processes in contrast 
to those of context-free processes, as well as 

— which of the known decision procedures for context-free processes can be 
extended to pushdown processes. 

In this chapter we contribute to this line of research by introducing the 
theory Pushdown Process Algebra (PDPA) which we believe is a convenient 
formalism for modelling the operational behaviour of pushdown automata 
when considered as processes. Using the algebraic approach has the benefit 
of being based on a sound mathematical foundation, as well as allowing us 
to build upon results already known for similar process algebras. 

We proceed by exploring the question of how the essential difference be- 
tween context-free processes and pushdown processes can be explained. A 
possible explanation is given by our result that the class of pushdown pro- 
cesses is closed under parallel composition with finite state systems. This 
follows from a new expansion theorem, whose implied ‘representation explo- 
sion’ is no worse than for finite state systems. Moreover, it turns out that 
pushdown processes are also the smallest extension of context-free processes 
up to renaming of labels which allows parallel composition with finite state 
processes. This representation property is shown by proving that every push- 
down process is bisimilar to a relabelled parallel composition of a context-free 
process with some finite process. Overall, these results indicate that push- 
down processes are an appropriate generalisation of context-free processes 
for dealing with some notion of parallelism. 

In Section 3.2 we define the syntax and semantics of Pushdown Process 
Algebra (PDPA), a generalisation of BPA to the framework of pushdown au- 
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tomata, while in Section 3.3 we compare the expressive power of pushdown 
processes with that of context-free processes. Section 3.4 then presents the 
PDPA laws which evolve directly from the corresponding BPA laws, and in 
Section 3.5 we develop a procedure which transforms every pushdown process 
specification effectively into a Greibach-like normal form. In Section 3.6 the 
closure result under parallel composition with finite state processes is proved, 
while in Section 3.7 we establish a decomposition theorem for pushdown pro- 
cesses. Finally, in Section 3.8 we survey other proposed formalisms describing 
the class of pushdown transition graphs. 



3.2 Syntax and Semantics 

Pushdown automata are known from formal language theory as devices ac- 
cepting some context-free language. One possible way to define the language 
accepted is as the set of inputs for which the pushdown automaton empties its 
stack by means of some sequence of moves. In process theory, however, we are 
more interested in the branching structure of the transition graph associated 
with the pushdown automaton. Each internal configuration of the automaton 
consisting of a state q and a stack content 7 is interpreted as a process, while 
a “sequence of moves” corresponds to a transition sequence in the transi- 
tion graph. Moreover, reaching a configuration with empty stack component 
represents successful termination. Consequently, when considering sequen- 
tial compositions of pushdown transition graphs (or pushdown processes) we 
have to take into account the final state the pushdown automaton has entered 
when the stack is empty (cf. Figure 3.1). 



[9,7] 





Fig. 3.1. Shape of a pushdown transition graph for [5,7]. 



In order to reflect this interpretation our process algebra will have two 
sorts of processes, as well as two kinds of sequential composition. The first sort 
shall contain processes of arity 1 which may only terminate by reaching the 
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unique process e, while the second sort will consist of all processes which may 
terminate by reaching one of the n different configurations e], 1 < z < n, 
where n is the number of states Q in the finite control of the automaton^. 
Processes of the latter kind will have arity n. 

To model pushdown processes we introduce now the theory Pushdown 
Process Algebra (PDPA). 

Definition 3.2.1 (Pushdown Process Algebra). 

Pushdown Process Algebra (PDPA) is parameterised by a set of atomic ac- 
tions Act, a set of (control) states Q = {qi, . . . ,qn}, and a set of stack 
symbols Z. PDPA process expressions are then given by the abstract syntax 

E ::= e \ a \ [q, 'y] \ Ei + E2 \ E1.E2 \ E;{Ei,... , E„) 
where a ranges over Act, q over Q, and 7 over finite words of Z. 

Intuitively, e represents the empty process of the first sort, which can im- 
mediately terminate, while expressions of the form [(j',7], the fragments'^, are 
the building blocks in this algebra. Later on simple fragments, i.e. fragments 
where the word 7 is a single stack symbol, will play the role of nonterminals 
when defining pushdown processes. As usual, the operator ’-I-’ is nondetermin- 
istic choice. Note however, that we use two kinds of sequential composition: 
the unary E1.E2 and the n-ary composition of processes A; {Ei , . . . , A„). 

In the remainder of this monograph we assume that has higher prece- 
dence than ’-k’ and we use the abbreviation En for {E \, . . . , A„). In particu- 
lar, we use Eri-E for {Ei.F, , E„.F) and A„; for {Ei; F„, . . . , A„; F^). 
Moreover, to shorten notation, we shall write [qn,j] for ([^1,7], . . . , [<Zn,7])- 

The introduction of fragments in combination with the n-ary sequential 
composition causes now a problem which was not present in the BPA case: 
when combining processes we have to take care of the arity or type of an 
expression. Formally, given a set of control states Q = { gi, the 

arity of a PDPA expression is defined by the equations of Figure 3 . 1 . 

A PDPA expression is then said to be well-typed if its arity is defined. An 
immediate consequence of our definition is that well-typed PDPA expressions 
have either arity 1 or n determining the type of sequential composition to 
use for them. 

As in the case of BPA, recursion is added to PDPA by introducing PDPA 
specifications which are (mutually) recursive equations over PDPA expres- 
sions together with a distinguished root. 



^ Note that for context-free processes this distinction is not necessary since they 
may be interpreted as state-less pushdown processes. Thus the empty process e 
is identified with the empty stack e. 

^ We denote configurations [q, 7 ] by the name fragment in order to emphasise that 
they will represent the labelled transition graph rooted at [^, 7 ] (cf. [BBK87a]). 
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arity(e) 


= 1 




arity(a) 


= 1 




arity([g, 7 ]) 


= n 


arity(ifi -|- E 2 ) 




1 arity(ifi), if arity(ifi) = arity(i? 2 ) 
1 undefined, otherwise 


aTitj{Ei.E2) 




I arity(i? 2 ), if arity(ifi) = 1 
^ undefined, otherwise 

arity(ifi), if arity (if) = n and 


aTitj{E-, {El,... ,E„)) 


= < 


y 1 < i,j < n 
arity(Ei) — arity(Ej) 






undefined, otherwise 

V. ’ 



Table 3.1. The arity of PDPA expressions. 



Definition 3.2.2 (PDPA Specification). 

A PDPA specification for pushdown process specification^ is a quintuple 
V = {Q,Z,Act,S, [qi,Zi]) 
consisting of 

— a finite set of control states Q = {qi, . . . ,qn}, 

— a finite set of stack symbols Z, 

— a finite set of actions Act, 

— a finite set of recursive process equations 

^ = { [Qi^ ^j] = ^ij I Qi & Q,Zj G Z} 

where the Eij are PDPA expressions of arity n over Q, Z, and Act, obeying 
the restrictions 

— e does not occur in Eij, and 

— empty fragments [g, e] may only occur in Eij in subterms of the form 
E.[q,e], 

and 

— a fragment [qi,Zi] called the root. 

The restrictions given for right-hand sides of process equations will guar- 
antee that e.g. expressions of the form e + E, or [q, e] -I- if do not occur in 
a PDPA specification. Nevertheless, one could also consider PDPA specifica- 
tions constructed without these restrictions leading to PDPAg specifications, 
similar to the distinction of BPA and BPA^ specifications. But different from 
BPA specifications where the only terminating process e is not allowed to 
occur, although it may be reached by means of the transition rule a — >■ e, 
in our framework we must admit occurrences of empty fragments at least in 
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restricted form. Otherwise there would be no way for the defined process to 
terminate. 

Analogous to BPA specifications, the following syntactical notion of 
guardedness will now ensure that every guarded PDPA specification always 
defines a uniquely determined process. 

Definition 3.2.3 (Guardedness). 

An occurrence of a fragment [q, 7] in a PDPA term t is said to he guarded 
if t has a subterm a.t' such that ‘a’ is an atomic action and t' contains the 
occurrence of [q, 7] . We call a PDPA term guarded if every occurrence of a 
fragment is guarded in t, and a PDPA specification is called guarded if each 
right-hand side term is guarded. 

In the sequel, we will restrict our attention to guarded PDPA specifications. 

After we have dealt with the problem of arity we have now to solve a 
second problem arising from the presence of two different sorts of processes 
which concerns termination. Essentially, a pushdown process can either ter- 
minate by reaching e, or by reaching a fragment [qi,e] with empty stack 
component, respectively. The kind of termination plays a major role when 
sequentially composed processes are considered and must therefore explicitly 
be distinguished. This distinction is accomplished by means of the following 
termination predicates. 

Definition 3.2.4 (Termination). 

The termination predicates 4,0 ii> for 1 < i < n, are inductively defined 
by the following rules. The base cases are 

£4,0 and [q^,e]ii, 

while composed processes are handled by the rules 



E 4.0 


implies 


{E F) 4.0 and {F E) 4.0 


E 


implies 


{E F) fi and (A - 1 - E) fi 


E 4.0, F 4.0 


implies 


E.FU 


E Iq,F li 


implies 


E.FU 


E fj , Fj 4.0 


implies 


E;F„ 4,0, for l< j <n 


E fj , Fj fi 


implies 


E;F„ U, for 1 < j <n 



A simple consequence of this definition is that processes of arity 1 may 
only 4.0“terminate, while processes of arity n may 4.i-terminate, for some 1 < 
i < n. 

Using the auxiliary termination predicates, the operational semantics of 
a pushdown process is now given by the following definition. 

Definition 3.2.5 (Operational Semantics). 

Any PDPA specification D = {Q,Z,Act,S,[qi,Zi\) with Q = {qi,... ,qn} 
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defines a labelled transition graph T = (Q x Z*,Act,^) where the transition 
relations A, a G Act are given as the least relations satisfying the rules shown 
in Table 3.2. 



[q,Z]^E' 



a ^ e.a £ Act 



y [q,Z]=E££ 



EZ^ E' 
E.F 4 E'.F 



EZ^ E' 



F' 



E + FA^E' E + FA^F' 
[q, Z]2^E 



[«l,Zy] -s- E- [<7„,7] 
F A, F' 



E.F 4 F‘ 
E^Fl 



7 -E- 'I'O 



7 E li, I < i <n 



Table 3.2. Action relations of PDPA. 



A state in the labelled transition graph defined by some PDPA specifica- 
tion is called a pushdown process (or PDPA process). If the PDPA specifica- 
tion D is clear from the context we shall also call a PDPA expression E a 
pushdown process meaning the state labelled with E in the labelled transition 
graph defined by T>. It should be noted that pushdown processes are finitely 
branching, i.e. for every E there are only finitely many E' with E Zfi E' . 

The name pushdown process algebra originates from the fact that each 
classical pushdown automaton without empty moves induces a PDPA speci- 
fication in the following sense. 

Definition 3.2.6. Let A = {Q, Z, Act,d,qi, Zi) be a pushdown automaton. 
The PDPA specification induced by A is defined as 

Da = {Q,Z,Act,SA,[qi,Zi\) 

where 

[tZ] = ^ a^.[q[,(3i] £ Sa iff {q'i, ff) & Z). 



3.3 Expressiveness 

Regular processes and BPA (Basic Process Algebra) processes, which are 
also known as context-free processes (cf. e.g. [CHS92]), can both be seen as 
special instances of PDPA processes. More specifically, a BPA process is a 
PDPA process where Q contains only a single control state q. As in this case 
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the single state is irrelevant the fragment [q, 7 ] is identified with the word 7 
and a simple fragment is called a variable. Even more, the n-ary sequential 
composition collapses into the unary one which is usually written as E ■ F 
or simply as EF. Restricting the sequential composition further to prefixing 
a ■ X, also written as a.X, gives the class of regular processes. Note that the 
stack symbols Zi play the role of the nonterminals of a context-free or regular 
grammar in these cases. 

It is well known that each regular process possesses only a finite num- 
ber of equivalence classes wrt. bisimulation ~ a regular process is therefore 
also called a finite-state system - whereas BPA processes, and consequently 
also pushdown processes, have in general an infinite number of equivalence 
classes. Moreover, Caucal and Monfort have shown in [CM90] that pushdown 
processes are strictly more expressive with respect to bisimulation semantics 
than context-free processes. The authors prove this remarkable result by con- 
sidering the multiplicity of transition graphs. 

First, a vertex s is called a multiple start vertex for vertices t\ and t 2 
where t\ = t 2 is allowed if there exist two disjoint paths s — ^ and s -f t 2 , 

i.e. both paths have except the start and possibly the end vertices no vertices 
in common. A graph is then said to have finite multiplicity if any pair of 
vertices t\ and t 2 have only a finite number of start vertices. 

Now it turns out that BPA processes have always finite multiplicity, 
whereas there exist pushdown processes which have infinite multiplicity. An 
example is given by the pushdown automaton A of Table 3.3. 



A = {Q,Z,Act,'d,qi,Z) where 



Q = 


{ 9l , <72 , ?3 , <?4 } 


Act = 


{ a, 6 , c, d } 


.Z 


{Z} and 


A{qi,a,Z) 


= {{qi,zz)} 


^qi,b,Z) 


= {{<12, e)} 


'&(q 2 ,d, Z) 


= {(<72,e)} 


i?(qi,c,Z) 


= {(<73,e)} 


i?(q3,d, Z) 


= {(<74,^)} 


i?(q4, d, Z) 


= 



Table 3.3. A pushdown automaton. 



As can be seen from its associated transition graph shown in Figure 3.2 
the states q 2 C and q^e have an infinite multiplicity with start vertices q\Z'', 
for t > 1. Hence, this proves that there cannot exist a BPA process which is 
bisimilar to the labelled transition graph of the pushdown automaton A. 
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93 e 



d d d„d„d„d„ 

q4,z -« q 2 .Z -« q4,Z^-t qsZ^-t q^Z^^ qsZ^ ■■■ 



qiZ- 

b 



■ 91^^- 
b 



-91^®- 
b 



- 91 ^^- 
b 



92 e 



■ q2Z 



■ q2Z^ 



-92 



^3... 



Fig. 3.2. The labelled transition graph generated by the PDA A. 



3.4 PDPA Laws 

In this section we review the usual BPA^ laws [BW90] in the context of 
pushdown processes. These generalised BPA^ laws, accordingly called PDPA 
laws, express the algebraic properties of the PDPA operators, and are given 
in Table 3.4^. 

Intuitively, the first three laws express the commutativity, associativ- 
ity and idempotence of nondeterministic choice. A4i is the usual BPA 
law A4, while A4„ is the corresponding generalisation for pushdown pro- 
cesses. These two laws state the right distributivity of sequential composi- 
tion over Moreover, the associativity of sequential composition follows 
from A5i^i,... Of special interest is the law A6 which shows how 

to decompose nonsimple fragments. This law will play a major role in our 
model-checking algorithm presented in Chapter 4. Finally, the laws A7 and 
A8, which are identical to the appropriate BPAg laws, state that e is the 
neutral element for unary sequential composition. A9 and AlO are generali- 
sations of these two laws capturing the structure of fragments: [qi, e] behaves 
like a left neutral element, which additionally selects the process to continue 
with, and [g„, e] like a right neutral element for n-ary sequential composition. 

As for the BPA^ laws, the PDPA laws are easily shown to be sound with 
respect to bisimilarity. 

Proposition 3.4.1 (Soundness of the PDPA Laws). 

All the PDPA laws are valid up to 

Proof. Each law is shown to be sound with respect to bisimilarity by proving 
that a certain corresponding binary relation over PDPA expressions is in 
fact a bisimulation. In the following we present all the required bisimulation 
relations, together with a correctness proof for the most difficult cases A5n,n 

® Note again that the class of pushdown processes with arity 1 coincides with the 
class of BPA processes, since the n-ary sequential composition then collapses 
into the unary one. Consequently, in this case the axioms A4i and A4„, as well 
as A5i,i, . . . , A5n,n collapse too. 
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A1 


El + E 2 


= 


£2 + £1 


A2 


{El -|- E 2 ) + £3 


= 


El + (£2 + £ 3 ) 


A3 


£1 + £1 


= 


El 


A4i 


: {El -1- E2).F 


~ 


E\.F + E2-F 


A4„ 


: {El + £ 2 ); £n 




E \ ; Fn + E 2 ; Fn 


yl5i,i : {E.F).G 


= 


E.{F.G) 


^5i,n : {E.F)]Gn 


= 


E.{F-,G„) 


A5n 


, 1 : {E-,F„).G 


= 


£; (£n.G) 


A5„ 


{E-,F„y,G„ 


= 


£; (£„;G„) 


A6 


[ 1 , £ 7 ] 


= 


['?,£]; [?n,7] 


A7 


e.E 




£ 


A8 


E.e 




£ 


A9 


['?i,«];£n 




Fi 


AlO 


: E-,[cjn,e] 




E 



Table 3.4. The PDPA laws. 



and A6. To simplify the notation let V be the set of all PDPA expressions. 
Accordingly, P” will denote the n-fold cartesian product of V. Moreover, we 
will write Vid for the identity relation on V, i.e. Vid =df {{p^p) \ P 
For consistency, we assume that all PDPA expressions occurring in the proof 
are well-typed. 

— j 41 ; E\ -\- if 2 ^ p2 4 “ Pi 

= { {El + E2, E2 + El) I Ei,E2 G P } U Vid is a bisimulation. 

— A 2 : {El + E2) + ifs ~ ifi -l- {E2 + E^) as 

-^2 = { {{El + E2) + E3, El + {E2 + £-3)) I El, £2, £3 G £ } U Vid is a 
bisimulation. 

— j43 ! El El ~ El as 

R 3 = { {El + El, El) I £1 G £ } U Vid is a bisimulation. 

— A4i i {El E 2 )~E ^ Ei.F -\~ E 2 -F as 

£ 4 i = { ((£i-|-£2).£, £i.£-I-£2.£) | £i,£2,£ G £ }AVid is a bisimulation. 
“ A 4 n ■ {El + £2); £n ~ £1; Fn_+ E2', £n ^S 

£ 4 „ = { ((£1 -l- £2); En, El] Fn + £2; £«) I £1, £2 G £, £„ G £" } U Vid is 
a bisimulation. 

— A 5 i,i : {E.F).G ~ E.{F.G) as 

= { {{E.Fj.G, E.{F.G)) \ £, £, G G £ } U £id is a bisimulation. 

— A 5 i,„ : (£.£); G„ ~ £.(£; G„) as 

£ 5 y„ = { ((£.£); G„, £.(£; G„)) | £, £ G £, G„ G £" } U V^d is a bisim- 
ulation. 

— A 5 „,i : (£; £„).G ~ £; (£„.G) as 
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R5n,i = { {{E; K).G, E; (F„.G)) | G, G G P, € P" } U P,d is a bisimu- 
lation. 

~ A^n,n ■ {E; F„); G„ ~ £1; (En'^Gn) as 

R5n,n = { {{E-, F„); G„, E-, (F„; G„)) | G G P, G„ G P" } U is a 
bisimulation. 

First suppose that there exists a transition 

(G; i?„); G„ 4 (G'; i?„); G„ 

due to some transition E; Fn E'; Fn which in turn must be due to some 
transition E E' . Then we also have 

E', {Fn, Gn) — >■ E'; {Fn, Gn) 

and by definition 

( {E'; Fn); Gn, E'; {Fn, G„) ) G 

The reverse direction for this case is shown in a similar way. Now consider 
a transition of the form 

{E;Fn);Gn^ Fl;Gn 

due to G 4-i, 4 4 F', and thus E; Fn 4 F'. This yields 
E; {Fn, Gn) — >■ F'; Gn 
due to Fi;Gn 4 F'; Gn and obviously 
(F/;G„,F/;G„) Gi?5„,„. 

Again the reverse direction follows by symmetric arguments. Finally, we 
may have a transition 

(4 i^n); G„ 4 G' 

since E li,Fi Ij and Gj 4 G' . But then 
E; {Fn, Gn) 4 G' 

follows from Fi;Gn 4 G' and we have (G',G') G Rbn,n- Observing that 
the reverse direction is shown symmetrically completes the proof. 

- A& : [q,Z-i] ~ [q,Z]; [qn,l] as 

i?6 = { {[q, Zj], [q, Z]; [qn, 7]) | q,qt & Q, Zj G T+ }UPid is a bisimulation. 
In order to prove this case assume that there exists a transition 

k, Zj] 4 E; [4,7] 

due to a transition [q, Z] 4 E. Then we also have 
[<?, Z]; [4,7] 4 E; [4,7] 

and clearly {E; [4, 7], A; [qn,l]) G i?6, as desired. If on the other hand 
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[q,Z]; [qn,l] 4 E] [g„, 7 ] 

due to some transition [q, Z] 4 E, we obtain also 
[<?, ^ 7 ] 4 E; [q„,-f] 

and clearly {E; [qn,j],E; [gn, 7 ]) G R6 to complete also this part of the 
proof. 

— AT : e.E ~ if as 

R7 = { {e.E, E) I if G P } U Vid is a bisimulation. 

— t18 : E.e ~ if as 

i?8 = { {E.e, E) I if G P } U Vid is a bisimulation. 

— 7l9 : [qt,e\, ~ ifi as 

R^ = {{[qi a]', Fn, Fi) I G Q, G P" } U V^ is a bisimulation. 

— ^10 : E; [qn, e] ~ if as 

i?10 = { (if; [qn, e], if) | E GV,qi G Q}LI Vid is a bisimulation. 

□ 



3.5 Pushdown Normal Form 

For any computing devices, like e.g. Turing machines, grammars or automata, 
it is, in general, interesting to know whether there exist certain normal forms 
which allow to study the object under consideration merely for a restricted 
range of instances without compromising expressiveness. Usually, proofs ben- 
efit most from the existence of normal forms as they can often significantly 
be simplified if the device at hand can be assumed to be of a specific form. 

In formal language theory, for example, Chomsky Normal Form, as well as 
Greibach Normal Form, both constitute important normal forms for context- 
free grammars. Furthermore, for pushdown automata a normal form is known 
which admits to restrict the attention to pushdown automata pushing at most 
2 symbols onto the stack when reading an input symbol^. 

By applying these ideas to the setting of process theory Baeten, Bergstra, 
and Klop have shown in [BBK87a] that any guarded BPA specification can 
effectively be represented in Greibach Normal Form (CNF), i.e. by equations 
of the form X = This result is further strengthened in [Hiit91] 

by proving that the length of the string ai can be bound by 2. Recursive 
specifications with this property are said to be in 2-GNF. Here we present 
the analogous result for PDPA specifications that each pushdown process 
up to bisimilarity is induced by some pushdown automaton, i.e. a pushdown 
process in Pushdown Normal Form. In Section 3.7 we improve on this result, 
by showing that the pushdown automaton can additionally be assumed to 
push at most 2 symbols onto the stack during a transition step. 

^ In fact, there are even stronger normal forms known for pushdown automata (cf. 

[HU79]) which are, however, of no interest here. 




44 



3. Pushdown Processes 



Definition 3.5.1 (Pushdown Normal Form (PDNF)). 

A PDPA specification T> = {Q,Z,Act,S, [qi^Zi]) is said to be in Pushdown 
Normal Form (PDNF) if all equations of S are of the form 

[q,z] = ^ a*.[g',A] 

i 

If the length of each word fii is bounded by some k, the PDPA specification 
is said to be in fc-PDNF. 

Theorem 3.5.1. If D is a guarded PDPA specification, we can effectively 
find a specification V in PDNF such that V ~ T>' , i.e. that the roots of V 
and V are bisimilar. 

Proof Let V = {Q, Z, Act, £, [gi, Zi\) be a guarded PDPA specification. Our 
procedure for rewriting £ into PDNF consists of a sequence of transforma- 
tions, which are similar to the ones used for rewriting BPA equations into 
Greibach Normal Form (cf. [HiitQl]). Since during the rewrite procedure we 
will temporarily generate equations with ordinary variables on the left-hand 
side, we will use generalised variables X, to denote both ordinary variables 
and simple fragments, respectively. 

Step 1: We apply the right-distributive laws A4i and A4„ from left-to-right 
as far as possible. Then, for all atomic actions a, we replace all internal 
occurrences of a by Xa, while keeping the resulting specification guarded, 
and add the equation Xa = a to £. 

Step 2: We successively remove all outermost unresolved sums, all unresolved 
sequential compositions and all nonsimple fragments: An unresolved sum is 
a sum F + G which occurs in an expression of the form 

E.{F + G) or A;(Ai,... ,F + G,... ,A„), 

while an unresolved sequential composition is either a sequential composition 
F.G occurring in an expression 

E.F.G or A;(Ai,... ,F.G,... ,A„), 

or a sequential composition F; G„ occurring in an expression 

E; {El, ... , E; G„, . . . , En). 

We now repeat the following loop until all unresolved expressions and non- 
simple fragments are eliminated. 

— Replace each outermost unresolved sum F -|- G by a new variable Xp+a 
and add the equation Xp+c = E + G to £. 

— Replace each outermost unresolved sequential composition a by a new 
variable Xa and add the equation Xa = a to £. 

— Replace each nonsimple fragment [q, Zj] by a new variable X^^^zj] and add 
the equation Xyq^z-y] = [<?) Z\, [qn,l\ to £■ 
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After eliminating all unresolved expressions, each equation is of the form 

A 'y ^ ~\~ y ^ Pj 

i 3 

where A is a generalised variable, and ai,Pj are sequences of sequentially 
composed generalised variables. 

Step 3: In the following, we say that an equation belongs to stratum i, if it is 
added in the f-th loop of the previous step. Thus all of the original equations 
are members of stratum 0. This classification is important for the elimination 
of the unguarded equations, which may have been introduced in the previous 
transformation step: 

— For each successive stratum i, for each equation in stratum i, and for each 

unguarded summand Xj.Pj (or A^; Pj), replace Xj by its definition a^.a^ 
and subsequently apply the right-distributive laws A4i and A4„ to obtain 
the guarded summand '^^Ui-Ui-Pj (or Pj). 

The correctness and termination of this procedure relies on the fact that all 
definitions of variables introduced in stratum i use only variables in strata 
< i and moreover, that all equations of stratum 0 are already guarded. 

Step 4: Now we replace all ordinary variables by appropriate simple frag- 
ments: 

— Replace each ordinary variable X in an expression E.X by [q\, X] and the 
equation X = E' from S by [q\,X] = E' . 

— Replace each ordinary variable X in an expression 

A;(Ai,... , Ai_i, A, Ai_|_i, . . . ,A„) 

by [qi, X] and each equation X = E' from £ by the n equations [qi, X] = E' , 
for 1 < i < n. 

Step 5 : The last transformation step normalises the fragments and delivers 
the intended normal form. 

1. Replace each fragment [qk,Z] in an expression 

E] (Ai,... ,Ei-i,[qk,Z],Ti+i,... ,A„) 

with fc yf i by [qi,Y[gj, z]] and add the equation [qi,Y[g^ z]] = E' to £ 
whenever [q^, Z] = E' is already an equation of £. 

2. Replace each expression {[qi, Zi], . . . ,[g„,Z„]) containing Zi yf Zj, i.e. 
not all Zi are identical, by {[qi, Yz-^...Zn], ■ ■ ■ , [q-n, Azi...z„]), and add the 
equations [qi,Yz-^...z„] = Ei to £ whenever [qi,Zi] = Ei is already con- 
tained in £. 

3. Replace each n-ary sequential composition [q,a\; [qn,P] by [q,aP]. 
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Since all steps of the algorithm either simply apply PDPA laws or introduce 
new variables that rename expressions, bisimilarity is preserved, which com- 
pletes the proof. □ 

Example 

We illustrate the transformation into Pushdown Normal Form by means of 
the following PDPA specification where the right-hand side of [gi, Zi] is not 
in normal form. To ease the readability, expressions that have changed during 
a transformation step are indicated by underlining. 

[gi, Zi] = {a + 6 .a).[gi, e] -h a.[g2, ^i]; ([g2, ■Z’l], [g2, Zi] + [gg, Zi], [gg, Zi]) 
[q2,Zi] = a.[g2,e] 

[ 93 ,^ 1 ] = b.[qi,Zi] 

Step 1 : Application of the PDPA law A 4 i, and elimination of internal ac- 
tions. 

[917^1] = Q-[gi 7 e] + b.Xg.[qi, e] 4 - 

a.[g2, Zi]; ([g2, Zi], [g2, Zi] -\- [gs, Zi], [gs, Zi\) 

[q2,Zi\ = a.[q2,e] 

[937^1] = ^-[917^1] 

Xg = a 

Step 2 : Elimination of unresolved sequential compositions and unresolved 
sums. 

[917^1] = Q-[gi 7 e] + b.Xi a.[q 2 ,Zi\; ([g 2 , Zi], A2, [gs, Zi]) 

[ 927 ^ 1 ] = a.[g2,e] 

[ 937 ^ 1 ] = ^-[ 917 ^ 1 ] 

Xg = a 
Xp = A,.[gi,e] 

X 2 = [g27 Zi] [g3, Zi] 

Step 3 : Guardedness transformation via strata. 

Note that the equations of Xi and A 2 belong to stratum 1, while all others 
are members of stratum 0. To ease the presentation we omit henceforth the 
equation of Xg since the variable no longer occurs in the right-hand side of 
some equation. 

[917^1] = a.[gi, e] -I- 6.A1 -I- a.[g2, ^1]; ([g27 ^1)7 -^27 [<Z37 ^1]) 

[ 927 ^ 1 ] = a.[g2,e] 

[ 937 ^ 1 ] = ^•[<7l7^l] 

Xi = a.[gi,e] 

A 2 = g.[g2 7e] -I- &.[gi7^i] 
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Step 4 : Replacement of ordinary variables. 

Since [92: and [<7i, ^2] are not referenced we omit the associated equations. 

= g.[gi, e] + h. [gi,Xi\ + o.[g2, ^1]; ([g2, ^1], [g2, ^2] , [gs, Zi\) 
[q2,Zi] = a.[q2,e] 

[93, -^i] = ^-[91)^1] 

[gi,^i] = a-[9i,e] 

[g2; ^ 2 ] = o,\(l2,f\ + b.[qi,Zi] 

Step 5 . 1 : Normalization of fragments I. 

[ 9 i)^i] = g-[gii g] + ^1] + g-[g 2 , -^i]; ( [gi, ^3] ) [g 2 , ^2], [q^, Zi]) 

[q2,Zi] = a.[q2,e] 

[93,^1] = 

[qi,Xi] = a.[qi,e] 

[92,^2] = a.[q2,e] + b.[qi,Zi] 

[91,^3] = g-[92,e] 



Step 5 . 2 : Normalization of fragments II. 

Since the equations for [qijXa] and [(72, -^2] are no longer needed we omit 
reference to them. 



[917-^1] = 


g-[ 9 i 7 e] + ^-[917-^1] 


[92,^1] = 


0.(9276] 


[93,^1] = 


^•[917 ^1] 


[917-^1] = 


0.(9176] 


[917-^4] = 


0.(9276] 


[92 7 Xi \ = 


0.(9276] + 6.(917 ■Z’l] 


[937-^4] = 


6 -( 9 i 7 ^1] 



Step 5 . 3 : Normalization of fragments III. 



(917^1] = 


0.(91, e] + 6.(91, Ai] + 0.(92, Z1A4] 


(927^1] = 


0.(9276] 


(937^1] = 


6 -( 9 i 7 ^1] 


(917-^1] = 


0.(9176] 


(917-^4] = 


0.(9276] 


(927-^4] = 


0.(927 6] + 6.(91, Zi] 



Finally, the PDPA specification obtained is in Pushdown Normal Form. 
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3.6 Parallel Composition 



BPA processes arise, as explained in Section 2.6, in a natural way from the 
more expressive Process Algebra (PA) by omission of the (asynchronous) 
parallel operator. When considering PDPA processes, parallel composition 
comes, however, again into play, as the operational behaviour of the pushdown 
process may be interpreted as the synchronised parallel combination of the 
finite state control and the stack where certain transitions are forbidden. 

In this section we elaborate on this point of view by introducing a binary 
CSP-like parallel operator || for PDPA processes (cf. [Hoa85]) and, subse- 
quently, proving that the class of PDPA processes is closed under paral- 
lel composition with regular processes. Intuitively, the parallel composition 
P II Q of two processes requires the synchronisation of the actions common 
to both component alphabets and allows the interleaving of the others. 



Definition 3.6.1 (Synchronous Parallel Composition). 

The synchronous parallel composition P \\ Q of two processes P, Q behaves 
as follows: 



P ^ P' 

PWQ^P'WQ 



a ^ Act{Q) 



g4g' 

P II Q 4 P II g' 



a ^ Act{P) 



p 4 p' , g 4 g' 

P II g 4 P' II Q' 



Using this notion of synchronous parallelism it turns out that the parallel 
composition of a pushdown process P with a regular process R can again be 
modelled up to bisimilarity as a pushdown process P' . The construction given 
in the proof of the following theorem, essentially, incorporates the behaviour 
of R into the finite state control of P without modifying the stack. 



Theorem 3.6.1 (Expansion Theorem). 

Given a pushdown process P and a regular process R, we can effectively con- 
struct a pushdown process P' such that 

P' ~ P II P 



Proof. Let P be the root of the guarded PDPA specification 
T> = {Q,Z,Act,Sx:, [qi,Zi]) 

with state set Q = { < 71 , . . . ,qn}, and R be the root of the guarded regular 
specification 

n={V,Act,£n,X^) 

with variables V = {Xi,... ,Xm}, respectively. For simplicity, we assume 
that each equation in E-ji is either of the form X = ^iXj^ with Oi € Act 

and Xj. G V, or of the form X = e. 
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We construct the PDPA specification 

V' = {Qx V,Z,Act,£v, [((?!, Ai),Zi]), 

whose root [(gi, Ai), Zi] will define P' as then follows: 

[{q,X),Z] = Ej) + Eti + Ej),n if 



Exi 


= Ea-[(g', A),/3], 


where a.[q',(3\ is a right-hand side sum- 
mand of [g, Z] in £x and a ^ Act (7Z), 


E-r 


= Ea.[(g,A'),^], 


where a.X' is a right-hand side summand 
of X in £r and a ^ Act{V), 


Ev^n 


= Ea-[(g', A'),4. 


where a.[q',(3\ is a right-hand side sum- 
mand of [g, Z] in £x and a.X' is a right- 
hand side summand of X in £r. 



In order to prove P' ~ P || i?, we will now show that 

5={([(g,A),7],[g,7] || A) | g g g , 7 e Z*, A G P } 

is a bisimulation up to Thus let ([(g, A), 7 ], [g, 7 ] || X) G S. 

Let us first consider the case where the stack is empty, and assume 
[(g,A),e]4P 

Since [g, e] cannot perform any action we deduce that E = [(g, X'), e] for some 
X' , that a.X' is a right-hand side summand of X in £-ji and that a ^ Act{T>). 
Hence there exists a matching transition 

[g,e] ||X4[g,e] || A' 

and, moreover, we have ([(g, A'), e], [g, e] || X') G S' by definition. For the 
converse direction suppose that 

[g,e] II A4P 

This immediately implies that E = [g, e] || X' for some X' , that a.X' must 
be a right-hand side summand of X in £tz and that a ^ Act{T>). Thus we 
obtain 

[(g,A),e]4[(g,X'),e] 

and again by definition ([(g, A'),e], [g,e] || X') G S, as desired. 

Now assume we have an expression with nonempty stack component and 
some transition of the form 

|(g,A),Z7]4P. 
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We will only consider the case where a required synchronisation occurs. The 
other cases are simpler analogues. In this case, by definition of the transition 
relation we must have 

[{q,X),Z]^[{q',X'),P] and E = [{q' , X'), P];[q„ x X^,j] 

where [g„xX^,7] abbreviates ([(gi, Xi), 7], . . . , [(g„,X™),7]). Thus by con- 
struction of St>' we know that a.[q', /?] is a right-hand side summand of [q, Z] 
in £x>, while a.X' is a right-hand side summand of X in Therefore we 
also have 

[g,Z7] ||x4[g',/3];[g-„,7] || X' 

and clearly 

[(g',X'),/3]; [g„ x X^,-^] ~ [(g', X'), /?7] ^ II 

~ b',/?]; [9n,7] II 

As the converse direction is shown by symmetric arguments this concludes 
the proof. □ 

Corollary 3.6.1. If the PDPA specification V is in k-PDNF the resulting 
expanded PDPA specification V constructed in the previous proof is also in 
k-PDNF. 

Proof. Since the construction of the expanded PDPA specification only deals 
with integrating the regular process structure into the control component of 
the given PDPA specification, it is easy to see that the length of the words 
in the stack component does not change. □ 

Finally, we mention that an automata theoretic variant of this result, which 
also applies to macro processes, can be found in [PI93]. 

3.6.1 Example 

We illustrate the construction given in the proof of Theorem 3.6.1 by means 
of the process management system PMS consisting of the parallel composition 
of the “process handler” PH and the “controller” C. The specifications of the 
parallel components PH and C are defined as follows 

PH = { Xq = create. Ai, X\ = create. AiAi -P term } 

C = { Yq = create. Yi, Yi = create. Yi -P shutdown. Y 2 ) 

= e } 

whereas their associated labelled transition graphs are given in Figure 3.3. 

Here the process handler PH can be interpreted as a system that allows 
the creation of processes via the action create and the termination of ac- 
tive processes via the action term. The process management system offers its 
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PH 



C 




Fig. 3.3. The parallel components of the process management system. 



service until it is ‘shut-down’ by the controller C via the action shutdown, 
which causes the process management system to deadlock after having ter- 
minated all active processes. By the construction of Theorem 3.6.1 we obtain 
the process management system PMS =jf PH || C as follows: 

PMS = { [Fo,-’fo]= create.[Yi,Xi], 

[Yi,Xi] = create. [Yi, Xi^i] -P term. [Yi, e]-|- 
shutdown. [Y 2 , Xi] , 

[Y 2 ,Xi]= term.[Y 2 ,e] } 

The construction also yields the equations 

[Yo,Xi] = create. [Yi, dfiXi] -P term.[Yo, e] 

[Yi,Xo] = create. [Yi, Xi] -P shutdown. [Y 2 , Xq] 

which are, however, useless since the fragments [Yq,Xi] and [Yi,Xo] do not 
occur on a right-hand side in PMS. 

Finally, the labelled transition graph of the overall system which results from 
the specification PMS given above is shown in Figure 3.4. 



3.7 Parallel Decomposition and 2-PDNF 

When considering classes of formal languages, as well as classes of processes, 
representation theorems are of particular interest since they may provide ad- 
ditional insights in the underlying structure. For example, in formal language 
theory the Chomsky-Schiitzenberger Theorem (cf. [Har78]) states that for 
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PMS 




term 



term 



term 



Fig. 3.4. The expanded process management system. 



each context-free language L there exists a semi-Dyck language D, a regular 
language R, and a homomorphism cp such that 

L = ip{Dr\R). 

In this section we present a similar characterisation theorem for pushdown 
processes, which intuitively states that each pushdown process T> can be 
represented as the relabelled synchronous parallel composition of a context- 
free process C and a regular process TZ, i.e. 

P~(C|| TZM. 

Besides making clear the difference between context-free processes and push- 
down processes, the representation theorem also allows to obtain some struc- 
tural properties of pushdown specifications. For example, using the well- 
known 2-GNF for BPA processes the representation theorem implies that 
every pushdown process can effectively be rewritten in such a way that each 
fragment [9,7] appearing on a right-hand side has length at most 2. 

We start our exposition by introducing formally what it means when a 
process is being relabelled. 

Definition 3.7.1 (Relabelling). 

The behaviour of a relabelled process P[ip] with relabelling function p : Act — > 
Act' is determined by the transition rule: 

P4 p/ 

p[p] p'[p] 
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By means of relabelling and synchronous parallel composition we are now 
able to state our representation theorem for pushdown processes. 

Theorem 3.7.1 (Decomposition Theorem). 

For any guarded PDPA specification T> there exist effectively a guarded BPA 
specification C, a guarded regular specification TZ, and a relabelling Yp] such 
that 

V ^ (C II 7^) [y.] 

Proof. Let T> — {Q, Z, Act,Sxi, [qi,Zi]) be a guarded PDPA specification in 
PDNF with state set Q = {qi, ... ,qn}- Then we define the regular process 
specification 

=df {VQ,Act',£n,Xqi) 

with variable set Vq =df { Xq^ , ■ . . , Xq^ } and action set Act ' =df Act xQxQ 
by 

A, = ^ ^ ^ [q'j. , /3j, ] G Sj, 

iji it 

while the BPA specification 
C =df {2, Act' ,£c, Zi) 
is defined by 

Z = iff fe,Z] = ^a,,.|4,/3,jG£:i,. 

i,ji ji 

Obviously, TZ, as well as C, are both guarded specifications. 

Finally, the relabelling function ip is defined by simply dropping the index 
[q,q') from any action \ i.e. 

The theorem is now proved by showing that 

'5'= {([ 9 , 7 ], II 7 ) M) I q&Q,l & Z*} 

is a bisimulation up to ~. First observe that the parallel composition of C 
and TZ is always forced to synchronise since both process specifications are 
defined over the same set of actions Act'. Hence, processes of the form \q,e] 
and Xq II e cannot perform any action. Now suppose that we have a transition 

[ 9 ,^ 7 ] [9n,7] 

due to some transition [q,Z] A [ 9 ',/?]. Then by construction of Sn and £c 
we have 

Xq ^ Xq, and Z ^ (3, 
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respectively. Thus also the parallel composition may perform the transition 

{X, II Zy)M 4 (X,, II /37)M 

and we have clearly 

b',4; [qn,i] ~ [q',h\ S {Xg, II /?7)[4. 

To prove the converse direction assume that there exists a transition 
{Xg II Z7)M 4 (Xg, II /37)M 
Since this must be a synchronised transition we know that 

Xg ^ Xg, and Z ^ (3. 

Thus there exists a right-hand side summand a.[q',j3] of [q,Z] in Ex,- This 
yields 

[ 9 ,^ 7 ] 4 [g',/3]; [g„,7], 

and again we obtain 

b',4; [qn,i] ~ [q',h\ s {Xg, || /37)|4 

which completes the proof. □ 

The decomposition theorem thus shows that pushdown processes form the 
smallest extension of context-free processes up to relabelling being closed 
under parallel composition with regular processes. As a corollary we obtain 
that each pushdown process can be rewritten into 2-PDNF, which is essential 
for the presentation of our algorithm. 

Corollary 3.7.1 (2-PDNF). 

For any guarded PDPA specification T>, we can effectively find a guarded 
PDPA specification T>' in 2-PDNF such that D ^ D' . 

Proof. Given a guarded PDPA specification D, apply Theorem 3.7.1 to obtain 
the guarded BPA specification C, the guarded regular process specification 
TZ, and the relabelling (p such that D ~ (C || TZ)Yp\. Then rewrite C to a 
bisimilar BPA specification C in 2-GNF and apply Theorem 3.6.1 to C || TZ. 
Finally, rename all actions according to p. 

Note that bisimulation is a congruence relation with respect to fully syn- 
chronous parallel composition and relabelling. Thus bisimilarity is preserved 
while replacing C by C . Moreover, Gorollary 3.6.1 guarantees that the result- 
ing PDPA specification is in 2-PDNF. □ 
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3.8 Related work 

Besides the Pushdown Process Algebra proposed in this monograph, there 
also exist other equally expressive frameworks modelling the class of push- 
down processes. These approaches use a variety of formalisms exploiting 
graph decomposition properties, particular rewrite techniques, pushdown au- 
tomata based methods, deterministic graph grammars and logical characteri- 
sations for the description of pushdown processes. Summarising, we have the 
following theorem. 

Theorem 3.8.1. The classes of labelled transition graphs generated by the 
following formalisms coincide. 

— Pushdown Process Algebra [BS94]- 

— Context-free graphs [MS85]. 

— Prefix transition graphs [Cau92]. 

— Pushdown transition graphs [CM90]. 

— Equational graphs of finite degree[Cou90]. 

— MSOL definable graphs of finite width and of finite degree[Cou89] . 

In this section we present successively the different formalisms, and show 
how they model pushdown processes by means of a fixed example. For this 
purpose we take the pushdown specification T>, and its associated transition 
graph Td, both given in Figure 3.5. The root of T-d corresponding to [gi, Zi] 
is hereby indicated by the arrow without source. 



Let T> = {{qi,q 2 },{Zi, Z 2 },{a,b,c,d},S,[qi, Zi]) be the PDPA specification 
where 



r [qi,Z,] 

f = < [<?ii -^2] 

I [q2,Z2] 



a.[qi, Z2Zf\ -\- c.[q2, Z\\ 

c-kii Z2Z2] -f b.\qi, e] -|- c. [52, Z2] 

d.[q2,e] 




Fig. 3.5. An example pushdown process. 
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Finally, we close this section by presenting an extension of BPA proposed 
by Baeten and Bergstra [BB91] which incorporates similar ideas as PDPA, 
but yields a different class of processes. 



3.8.1 Context-Ftee Graphs 

In a landmark paper Muller and Schupp [MS85] introduced the class of 
context-free graphs^ which is of special interest in the theory of ends since 
each context-free graph is “finitely behaved at infinity”. As a main result, the 
authors show that a graph is context-free iff it is the transition graph of some 
pushdown automaton. More remarkably, they relate the theory of monadic 
second-order logic (MSOL) on context-free graphs to certain tiling problems 
on these graphs which are further reducible to the emptiness problem on some 
associated infinite trees. Since by Rabin’s theorem [Rab69] the latter prob- 
lem is known to be solvable this establishes that the monadic second-order 
theory of context-free graphs is decidable. Subsequently, we briefly recall the 
basic definitions concerning the class of context-free graphs, and show that 
it contains the labelled transition graph Td. 

A labelled graph G = Eq) is a triple where Vq is a set of vertices, 

S is an alphabet, and Eq C Vg x A x Vg is a set of edges. We call a labelled 
graph G finitely generated if it has the following three properties: 

1. the label alphabet A of G is finite, 

2. G is a connected graph with a distinguished vertex vq, called the root of 
G, and 

3. G has uniformly bounded out-degree b, i.e. each vertex of G has at most 
b outgoing edges. 

Now let G be a finitely generated graph with root vg. For any vertex v 
of G, we write |u| to denote the length of a shortest path from vg to v, also 

in) 

called the distance of v from vg. Moreover, let Vq be the set of all vertices 
of G which have distance of less than n from vg. Then by G^"^ we mean the 
subgraph of G consisting of together with all incident edges. Thus, for 
example, G^°^ is empty and G^^'> consists of vg and incident edges. 

Figure 3.6 illustrates the previous definitions for our example graph 7x>. 
The vertices on a dashed line labelled with n have distance n from the root. 
Accordingly, G^"^ denotes the subgraph to the left of distance line n. 

Since G has uniformly bounded out-degree, G \ G^"^ consists of finitely 
many connected components. If G is such a component, a frontier point of G 
is a vertex m of G such that 1^1 = n. If u is a vertex of G with |u| = n, then 
we shall use G{v) to denote the component of G\ G^"^ which contains v. For 

® In the light of later developments the term “context-free graph” has turned out 
to be an unfortunate choice as it may lead to confusion with the classification of 
context-free processes and pushdown processes. 
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a a a a 




1 2 3 4 5 



Fig. 3.6. The distances of vertices from the root in 7x>. 



each vertex v, the set of frontier points of G{v), denoted by Fr{v), is finite 
due to the finite branching of G. 

Definition 3.8.1. Letu andv he vertices ofG. An end-isomorphism between 
the two subgraphs G{u) and G{v) is a mapping ■(/> : G{u) — > G{v) such that 

— Ip is a label-preserving graph isomorphism, and 

— tp maps Fr{u) onto Fr{v). 

Finally, we are in a position to define the notion of a context-free graph. 

Definition 3.8.2 (Context-Free Graph). 

A graph G is said to be context-free if G is a finitely generated graph such 
that 

{ G{v) \ V is a vertex of G} 

has only finitely many isomorphism classes under end-isomorphisms. 

The labelled transition graph of Figure 3.5 is obviously finitely generated. 
Moreover, it has only two isomorphism classes under end-isomorphisms. The 
first is the whole graph itself, while the second one is given in Figure 3.7 
where we have colored the frontier points black. Hence this shows that Fd is 
a context-free graph. 




Fig. 3.7. The nontrivial isomorphism class of Tb under end-isomorphisms. 
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3.8.2 Prefix Transition Graphs 



A different formalism has been investigated by Caucal in [Cau92] . The author 
considers labelled rewrite systems, i.e. word rewrite systems where each pair 
contained in the rewrite relation is labelled with some terminal letter from 
an alphabet S. Formally, we have 

Definition 3.8.3. A labelled rewrite system TZ is a triple (X*, A, { A }ae i:) 
where 

— X is a set of nonterminals, 

~ X is a finite alphabet, and 

— { }aGi: ‘is a, family of finite rewrite relations on X* x X* . 

As usually, we write a A /3, for {a, fi) G A, and call a ^ (3 a, rule of TZ. 
Instead of general rewriting, Caucal considers a particular variant, called 
prefix rewriting, where rewrite steps may only occur at the beginning of the 
word to be rewritten. 

Let TZ = {X*, A, { '^ }og s) be a labelled rewrite system. A prefix rewrite 
step with respect to 7?. is a labelled transition ay A /Sy where a /3 is a 
rule of TZ. We shall extend this definition by refiexivity and transitivity to 
allow a A /3, for re G A*. 

Definition 3.8.4 (Prefix Transition Graph). 

The prefix transition graph G{TZ, r) of a labelled rewrite system TZ and an 
axiom r G X* has then as vertices the set V of words a G X* such that 
r — >■ a for some w € X* , and as edges a ^ (3 whenever a,j3 and a — >■ /3 
is a prefix rewrite step. 



The labelled transition graph of Figure 3.5 is now obtained as the prefix 
transition graph G{TZ,qi) of the labelled rewrite system 



T^= {{qi,q 2 ,X},{a,b,c,d},S) 





/ 

q\ 


a 


qiX 


where £ = < 


qiX 


b 
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qi 
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3.8.3 Pushdown Transition Graphs 

As we mentioned earlier, from an operational point of view pushdown au- 
tomata may also be interpreted as labelled rewrite systems [CM90]. Given 
a pushdown automaton A = {Q,Z,X,'d,qi,Zi), we consider the labelled 
rewrite system 

i?.4=dA(QUA)*,A,{AAGi;), 
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called a pushdown rewrite system, where qZ A g'7 is a rule of Ra whenever 
(q',j) G ’d{q,a,Z). Each such pushdown rewrite system defines a transition 
graph by means of general rewrite steps® beginning with an axiom r. 

Definition 3.8.5 (Pushdown Transition Graph). 

Let A = {Q, Z, S, 1 ), qi, Zi) be a pushdown automaton. The pushdown transi- 
tion graph G{Ra, qiZi) of A is the transition graph of the pushdown rewrite 
system Ra with respect to the axiom q\Zi. 



Obviously, the transition graph G{RA,qiZ\) of the pushdown automaton 
■A = {{qi,q 2 },{Z},{a, b, c, d }, -d, qi, Zi) 



where 



^qi,a,Z) = {{qi,ZZ)} 

= {(gi,e)} 

d{qi,c,Z) = {((72,e)} 

'&{q 2 ,d,Z) = {{q 2 ,e)} 



is identical with 7x>. 

It may seem that labelled rewrite systems as given in Definition 3.8.3 are 
more expressive than pushdown rewrite systems since the former are defined 
by rules over arbitrary words and thus do not have any notion of state or 
stack symbols. It is therefore remarkable that the class of prefix transition 
graphs does coincide with the class of pushdown transition graphs [Cau92]. 



3.8.4 Equational graphs 

A somewhat more complicated approach exploits the class of graphs gen- 
erated by deterministic hypergraph grammars [Cou90]. In the sequel, we 
present the basic concepts of this framework, and briefly give the necessary 
definitions. 

Hyperedges generalise the concept of directed edges as arcs from a source 
to a target by interpreting edges as a sequence of k vertices. The number k is 
then called the type of the hyperedge, and accordingly a hyperedge of type 2 
is an ordinary edge. Hyperedges may also be labelled. However, the alphabet 
of hyperedge labels must then be a ranked alphabet B, i.e. it must be given 
with a type mapping r : B — > N, and the type of a hyperedge must coincide 
with the type of its label. 

Definition 3.8.6 (Hypergraph). 

A hypergraph over B of type n is a five tuple 

H = (VH,EH,labH,vertH,srcH) 

where 

® In fact, the distinction between prefix rewrite steps and general rewrite steps is 
in this case not necessary, as the special form of the rewrite rules guarantees that 
a rewrite step may only modify a prefix of the current word. 
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— Vh is the set of vertices, 

— Eh is the set of hyperedges, 

— labn ■ Eh — > B defines the label of a hyperedge, 

— vertn ■ Eh — > Vh defines the sequence of vertices of a hyperedge, and 

— srcH is a sequence of n vertices of El . 

We impose the condition that the labels of hyperedges are well-typed, i.e. that 
the length of vertnie) is equal to T{labH{e)) for all e in Eh- An element of 
srcH is called a source of H . 

Intuitively, the sources of a hypergraph are its external reference points 
used when the hypergraph is embedded into a larger context which will be 
another hypergraph. 

As usual, a hypergraph is said to be finite if the set of vertices, as well as 
the set of hyperedges is finite. The class of all hypergraphs over B of type n is 
denoted by G(B)„, while FG(B)„ denotes the class of all finite hypergraphs 
of type n. Finally, a hypergraph of type n is also called an n-hypergraph. 

Hypergraph Expressions. Hypergraphs may also be described algebraic- 
ally by means of hypergraph expressions. To formalise this approach we in- 
troduce a many-sorted algebra (cf. [Wec92]) of hypergraphs as follows. 

Definition 3.8.7 (Algebra of Hypergraphs). 

The many-sorted algebra of hypergraphs G{B) has IN as the set of sorts , 
G{B)n as the carrier of sort n, and 




as an infinite -signature H. 0 is interpreted as the empty graph, while 
1 represents the l-graph consisting of one vertex that is its unique source. 
For every b G B, b denotes the T{b) -hypergraph H consisting of one edge e, 
labelled by b and with srcn = vertnie). Finally, the three operations ©, 9s, CTq, 
which are actually operation schemes defining infinitely many operations are 
interpreted as follows. 

Union: Let G G G{B)n and G' G G{B)^. Then G (Bn,m G' denotes the 
n-\-m-hypergraph obtained by disjoint union of G and G' with the concatena- 
tion of srcQ and srcc , as the sequence of sources. Note that this operation 
is not commutative due to the concatenation of sources. 

Fusion: Let 6 be an equivalence relation on {!,. . . ,n}, and G G G{B)n. 
Then 9s,n{G) denotes the n-hypergraph obtained from G by fusing its i-th and 
j-th sources for every (i,j) in S. 
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Source Selection: Let a : {1, . . . ,p} — > { ■ ,n} be a total mapping 

and G G G{B)n. Then (Ja,p^n{G) is the p-hypergraph consisting ofG equipped 
with 

{srcG{a{l)), , srcG{a{p))) 
as the sequence of sources. 

In the sequel, the set of all hypergraph expressions of sort n is denoted 
by FE(i?)„, and we write val{g) for the finite hypergraph defined by an 
expression g. 

To illustrate the use of hypergraph expressions we define the sequential 
composition of labelled transition graphs given in Section 2.5 in terms of the 
operations ©, 0^, ctq. 

Example 3.8.1. Let Gi G FG(^ct)„+i, for 0 < f < n, where Act is inter- 
preted as a ranked alphabet with r(a) = 2, for all a G Act. Moreover, we 
will interpret src< 5 . (1) as the start vertex, and srcGi(2), . . . ,srcGi(n+ 1) 
as the sequence of end vertices, for each Gi. The sequential composition 
Go ; (Gi, . . . , G„) is then defined by the expression 

a,n+l,{n+lY{Qs,(n+l)'^{- ■ ■ ((Gq ©n-|-l.n-|-l Gi) ©2(n-|-l),n+lG2) 

. . . (B n{n+l) .n+1 Gjif) 

Here 5 denotes the equivalence relation on { 1, . . . , (n+ 1)^ } consisting of the 
singleton equivalence class { 1 }, meaning that the start vertex of Go is not 
joined with any other vertex, the n equivalence classes 

{ 1 + f, i{n + 1) + 1 }"^i, 

responsible for joining the z-th end vertex of Go with the start vertex of Gi, 
as well as the n equivalence classes 

{j'(n+l) + z I 1 < j < 

responsible for joining the z-th end vertices of Gi, . . . , G„. Moreover, a de- 
notes the mapping 1 1, as well as 1 + z (n + 1) + 1 + z, for 1 < z < rz. 

A notion we will need in the next subsection when relating graphs defin- 
able by a formula with equational graphs concerns the maximal sort occurring 
in a graph expression. 

Definition 3.8.8. The width of an hypergraph expression g in FE{B)n, de- 
noted by wd{g), is the maximal sort of a symbol of H occurring in g. The 
width of a finite n-hypergraph G is then defined as 

wd{G) =df min{ wd{g) \ g G FE{B)n, val{g) = G } 
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Hypergraph Grammars. As context-free grammars generate words, hy- 
pergraph grammars are used to generate (finite) hypergraphs. Both notions 
of generation may also be extended to infinite structures yielding context-free 
w-languages in the first case, and sets of infinite hypergraphs in the second 
one. Deterministic hypergraph grammars which generate a single hypergraph 
are of particular interest in this setting since they allow to finitely represent a 
possibly infinite structure in a concise way. The key concept in this formalism 
are equational hypergraphs which are defined as a component of the canonical 
solution of a system of hypergraph equations. 

Definition 3.8.9. A regular system of graph equations over G{B) is a sys- 
tem of the form 

S — (xi — , . . . , Xji — Hjfj 

where A = { xi, . . . , x„ } zs a ranked alphabet, called the set of nonterminals 
of S, and where Hi, for 1 < i < n, is a hypergraph in FG{B U 

A solution of S is an n-tuple of hypergraphs (Gi,... , G„) with Gi in 
G{B)r(xi) such that 

Gi = Hi[Gi/xi , . . . , G„/x„], 

for all i, where H[Gi/xi, . . . , Gnjxjf\ denotes the simultaneous replacement 
of all hyperedges labelled with Xi in H by the hypergraph Gi. 

As it is the case in the theory of recursive applicative program schemes 
one is interested in the “least” solution of such a system. Courcelle gives a 
categorical and a graph-expression based approach for finding the appropriate 
solution which is called the canonical solution. First one can associate with 
each system of equations a category and a functor such that the initial fixpoint 
of this functor yields the so called initial solution of S. Secondly, the system 
of equations can be solved formally in the domain E(i?) of finite and infinite 
graph expressions. Each Hi is replaced by a graph expression denoting it and 
the associated system S is solved in the algebra of infinite trees. It can be 
shown that these two approaches yield the same tuple of graphs. 

The class of graphs defined by a regular system of graph equations is 
strictly larger than the class of pushdown transition graphs. The former in- 
cludes e.g. graphs with infinite degree. The restriction to finite degree, which 
can syntactically be determined from the graph equations, yields, however, 
exactly the class of pushdown transition graphs. 

The labelled transition graph Td, for example, is the canonical solution 
of the graph equation of Figure 3.8 where the numbers indicate the sources 
of the nonterminal x\ and the right-hand side graph. 

3.8.5 MSOL Definable Hypergraphs 

The last formalism we consider treats graphs as logical structures. In this 
approach logical formulas express graph properties, and moreover, may be 
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Fig. 3.8. The graph equation characterising T-d- 



used to define sets of graphs. Key idea is to relate with a formula the set of 
those graphs which satisfy the property denoted by the formula under con- 
sideration. Interpreted this way, logical languages thus define sets of classes 
of graphs which can be ordered according to the expressive power of the 
considered logic. Besides classical logics like first-order or second-order logic 
particularly the theory of monadic second-order logic (MSOL) has attracted 
a lot of research as it is closely related to the class of equational graphs de- 
fined in the previous section (cf. [Cou89]). MSOL extends first-order logic 
by admitting quantification over monadic second-order predicates. In the se- 
quel, we introduce the monadic second-order theory of graphs and give the 
connection between this logic and the class of pushdown transition graphs. 

Let V denote the sort of vertices and e the sort of edges, respectively. 
For every b G B, we define a relational symbol of arity r(6) -|- 1 and of type 
(e, u, . . . , v) which intuitively expresses that the first argument is a hyperedge 
equipped with the sequence of vertices given by the remaining arguments. A 
hypergraph G = (Vq, EQ,labc,vertc, srcc) contained in G(B)„ may now 
be interpreted as the logical {v,e }-sorted structure 

G =df (Va, Eg, (edgf)b(^B, (sf )ie[n]) 
where edg^ has the interpretation 

edgf{e,Vi,...,Vr(b)) iff labaie) = b A vertcie) = {vi, . . . ,Vr(b)), 

and sf denotes a constant of sort v interpreted as srcaii)- 

In the following we use object variables x,y, . . . of sort v or eto range over 
Vg or Eg, respectively, while set variables X,Y, . . . of sort u or e will range 
over 2 Tg 

or 2^‘3. Moreover, the mapping from variables to sorts is given by 
cr. Now let Varhe & {v,e }-sorted set of variables and S' = { si, . . . , } be a 

set of vertex constants. As usual, uppercase letters will denote set variables, 
while object variables and constants are denoted by lowercase letters. The 
set of atomic formulas is then defined by 
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X = x' for 

X G X for 

edgb{x,vi,... ,Vn) for 



fin{X) for 



x,x' € Var U 5' and cr(x) = cr(x'), 
x,X € Var U S and a(x) = cr(X), 
x,Vi, . . . ,Vn G Var U S, cr(x) = e, 
and a(vi) = v, for i = 1, . . . ,n, 

X G Var U S. 



Atomic formulas have the usual semantics. In particular, fin(X) holds if X 
is interpreted as a finite set. Arbitrary formulas of the logic MSOL are then 
generated from atomic formulas by the Boolean connectives V, A, and 
the quantifiers V, 3 ranging either over object variables, or over set variables, 
respectively. 

Since formulas may be interpreted as predicates on the set of all graphs a 
graph G is said to be £-definable for some logic £ if G can be characterised 
up to isomorphism by a formula of C. The main result of this approach is 
now stated in the following theorem (cf. [Cou90]). 



Theorem 3.8.2. A hypergraph is equational iff it is MSOL-definahle and of 
finite width. 



The class of pushdown transition graphs is thus obtained by restricting 
MSOL-definable graphs to finite width and to finite degree. 

Courcelle [Cou89] remarks, that the construction of an MSOL-formula 
from a system of graph equations S is intractable since the formula obtained 
may be of exponential length in the size of S. As the proof of this theorem is 
rather technical we omit the MSOL characterisation for the graph given in 
Figure 3.5. 



3.8.6 BPA with the state operator 

In this final section we present an extension of BPA proposed by Baeten and 
Bergstra [BB91] that is based on similar ideas as PDPA. They extend BPA 
by the state operator which allows simultaneously to capture side-effects on 
a finite domain, as well as to rename the visible action resulting from a state 
transition. 

Formally, one has, for each state s of a (finite) state space S, an operator 
Xs which is added to the signature of BPA, and an expression Xs{E) then 
denotes that the process E is in the state s. Furthermore, there are two 
functions action and effect describing the visible action and the new state 
which result from the execution of an action. 



action : 


Act X S — 


Act 


effect : 


Act X S — 


S 



The behaviour of the state operator is then captured by the axioms SOI, 
S02, and SOS, as well as its action rule, which are defined as follows. 
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Axioms for the state operator 



SOI 


As (a) 


= action(a, s) 


S02 


Xs{aE) 


action(o., s) Aeffect(a,s}(.^) 


SOS 


Xs{E + F) 


= Xs{E) + Xs{F) 



Action rule for the state operator 

E-^ E' 

ME) Aeffect(g..) (^0 

As can be seen from the action rule the state operator combines two 
independent concepts: first a finite memory in form of an additional control 
component and second the renaming of atomic actions. Extending regular 
processes with these two concepts does, however, not enhance their expressive 
power, as an application of the state operator to a regular process yields again 
a regular process. In contrast, the combination of BPA and the state operator 
leads, as proved by Baeten and Bergstra in [BB91], to a process algebra which 
is strictly more expressive than pure BPA. 

Furthermore, one can show using similar techniques as in the proof of 
Theorem 3.7.1 that BPA with the state operator is at least as expressible 
as PDPA. However, it is not known to us whether this inclusion is strict 
although we conjecture that the answer will be affirmative. 






4. Model Checking 



4.1 Introduction 

In [MS85] Muller and Schupp prove the remarkable result that the theory of 
monadic second-order logic (MSOL) is decidable for the class of pushdown 
transition graphs. As a consequence, for each temporal logic which can be 
interpreted in MSOL, notably the modal /r-calculus, the satisfaction problem 
is solvable for this class of graphs. A major drawback for practical applications 
is, however, the nonelement ary complexity of the decision procedure. 

In this chapter we present a more direct approach by developing an it- 
erative model checker for the class of pushdown processes which decides the 
alternation- free fragment of the modal ^-calculus. The complexity of the al- 
gorithm is exponential in the size of the formula, while only quadratic in the 
size of the considered pushdown specification. 

In Section 4.2 we describe the syntax and semantics of the modal /x- 
calculus. We then extend in Section 4.3 the ordinary semantics of /x-formulas 
to the assertion-based semantics and develop the theory of second-order se- 
mantics for sequential processes. In Section 4.4 we introduce equational /x- 
formulas and present our model checking algorithm. Finally, in Section 4.5 
we show that the semantics of /x-formulas when interpreted on pushdown 
processes always describe regular sets of processes. 



4.2 The Modal ^-Calculus 

Verification by means of model checking assumes that the intended behaviour 
of the concurrent system at hand is specified by a formula of temporal logic. 
It is widely accepted that this approach is feasible to the specification and 
verification of concurrent systems, since temporal logic provides a powerful 
formalism for describing the occurrences of events in time. 

When defining temporal logics, they can be classified regarding the under- 
lying nature of time into linear time and branching time logics. While linear 
time temporal logics assume that at each moment there is only one possi- 
ble future, branching time temporal logics consider time as being tree-like. 
At each moment in time there exists a choice point representing the different 



O. Burkart: Automatic Verification of Sequential Infinite-State Processes, LNCS 1354 , pp. 67-1 14, 1997 
© Springer- Verlag Berlin Heidelberg 1997 




68 



4. Model Checking 



courses of possible futures. These two points of view concerning the semantics 
of time are usually reflected by the modal operators of the temporal logic. 
Thus linear time logics provide operators for reasoning about runs which are 
sequences of events along a single time path, while modalities of branching 
time logic quantify over possible futures. For a more general survey about 
temporal logics we refer the reader to [Eme90, Sti92]. 

A particularly powerful branching time logic is the propositional modal 
/i-calculus introduced by Kozen [Koz83]. It combines standard modal logic 
with least and greatest fixpoint operators which allows to express very com- 
plex temporal properties within this formalism. Since it subsumes most of the 
other propositional modal logics such as PDL [FL79], PDLZ\ [Str82], Process 
Logic [HKP82] and CTL* [EH86] , it has attracted a lot of theoretical, as well 
as practical interest. For example, newer results have established the connec- 
tion to tree automata by showing that the propositional modal /x-calculus is 
equally expressive as Rabin automata on infinite trees [Niw86, Niw88, EJ91], 
and thus also as powerful as monadic second-order logic on these trees. More- 
over, satisfiability of modal y^-calculus can be tested in deterministic single 
exponential time [EJ88]. In this sense, modal ^-calculus is only as “hard” 
as the much weaker logic PDL. Recently obtained results also show that 
there exists a finitary sequent-style complete axiomatisation of the modal 
/i-calculus [Wal93] opening this logic even for theorem provers. Due to its 
expressiveness and its conciseness the modal /i-calculus can therefore be re- 
garded as the “assembly language” of temporal logics. 

In this section we introduce the modal /i-calculus as the specification 
language of our model checker. For algorithmic simplicity, however, we shall 
represent formulas also by means of mutually recursive equational ^-formulas 
(cf. [CS91, CS92]). When developing our model checker in Section 4.4 the 
alternation-free fragment of the modal /i-calculus, i.e. the fragment which 
does not contain alternating fixed points [EL86], will be of special interest. 
This fragment can also be interpreted as Hennessy-Milner Logic with recur- 
sion [Lar88], and is equally expressive as the class of formulas represented by 
hierarchically constructed equational /i- formulas (cf. [CKS92]). 



4.2.1 Syntax 

Syntactically, the modal /i-calculus is parameterised with respect to a (count- 
able) set of variables Var, and a set of actions Act. In what follows, X will 
range over Var, and a over Act. Then the syntax of fi-formulas simplify our 
presentation, we only assume the atomic proposition tt here. However, an 
extension covering arbitrary atomic propositions, which are consistent with 
the representation of the transition system under consideration, is straight- 
forward. 

^ tt I A I I ^ V ^ I {a)<l> \ /tA.^ 
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The symbols -i and V represents negation and disjunction, respectively, while 
(a) is a modal operator parameterised by a. Finally, iiX.<P represents a re- 
cursive formula where the fixpoint operator p binds all free occurrences of X 
in <P. In order to ensure the well-definedness of the semantics we additionally 
impose the syntactic restriction on the body of pX.<P that any occurrences 
oi X in (p must occur within the scope of an even number of negations. 

To ease notation we introduce the standard abbreviations 



A <P >2 =df 
[a]^ =df 

i'X.<P =df 



-itt, 

~'pX.—<(p 



where <P\I'/X] denotes the simultaneous replacement of all free occurrences 
oi X in <P by . 

A formula P is called well named if every fixpoint operator in <P binds 
a distinct variable, and free variables are distinct from bound variables. In 
the remainder of this monograph we will assume that each formula is well 
named. Furthermore, the set of all ^-formulas will henceforth be denoted by 
Lp. 

The standard subformula relation ^ on ^-formulas is now given by the 
following definition. 



Definition 4.2.1. The immediate subformula relation between p-formulas, 
denoted by <, is defined by 

- If (p = then P ^<P. 

- If <P = Pi VP 2 then Pi and P 2 -< P- 

- If P = {a)P then P <P. 

- If P = pX.P then P <P. 

As usual, the transitive closure of < is denoted by while -<* represents 
the reflexive, and transitive closure of 

Definition 4.2.2 (Subformulas of P). 

The set of all subformulas of P is defined by 

SF{P) =df {If I P P}. 

This set of formulas can further be divided into SF{P)^ and SF{P)~ con- 
taining all subformulas of P which occur under an even, respectively odd, 
number of negations. 



^ As usual, the inadvertent binding of free variables of P by fixpoint operators of 
P has to be avoided by appropriately renaming the bound variables of P. 




70 



4. Model Checking 



Note that due to the syntactic restriction on bodies of fixpoint formulas 
we have that in each subformula of a closed formula all occurrences of a 
variable either occur under an even number of negations or they all occur 
under an odd number of negations, respectively. Hence a subformula of a 
closed formula ^ which contains a variable can only belong to either SF('P)'^ 
or SF{<P)~. 

In the remainder, we shall use a to represent either /i or ly. We call F a 
proper subformula of (P if F F, whereas a subformula of the form aX.F 
is called a a -suhformula. Moreover, we say that !?' is a top-level cr-subformula 
of ^ if If' is a proper a-subformula of <P and for every other cr-subformula O 
of F we have that F is not a subformula of O. 

When developing our model-checker in Section 4.4 we will represent pL- 
formulas by equational pi-formulas which are algorithmically more tractable. 
These formulas in equational form are closely related to particular finite sets 
of formulas, the so-called Fischer-Ladner closures [FL79]. 

Definition 4.2.3 (Fischer Ladner Closure). 

The Fischer-Ladner closure of a pi-formula F, denoted by CL(F), is defined 
as the least set of formulas satisfying 

- F G CL{F) 

- If ^F G CL{F) then F G CL{F). 

- If F 1 WF 2 G CL{F) then Fi G CL{F) and F 2 G CL{F). 

- If {a)F G CL{F) then F G CL{F). 

- If piX.F G CL{F) then F[piX.F/X] G CL{F). 

Finally, for complexity issues the notion of size for formulas is needed. 

Definition 4.2.4 (Formula Size). 

The size of a formula F, denoted by \F\, is inductively defined as 

- If F G { tt} U Var then |^| =at 1. 

- If F is of the form ~<F, {a)F or piX.F then \F\ =jf jiFl -|- 1. 

- If F is of the form F\ V F 2 then \F\ =jf jiFi | -|- I 1 F 2 I -I- 1. 



4.2.2 Semantics 

The formal semantics of /r-formulas appears in Table 4.1. It is given with 
respect to a labelled transition graph T = (S,Act,^), and a valuation V 
mapping variables to subsets of S, where V[X >->• S'] is the valuation resulting 
from V by updating the binding of X to S. 

Intuitively, the semantic function maps a formula to the set of states for 
which the formula is “true” . Accordingly, all states satisfy tt, while s satisfies 
A if s is an element of the set bound to X in V. Negation and disjunction 
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[ttiv 


= df 


5 


[^Iv 


= df 


V{X) 


hm 


= df 


s\mz 


1^1 V $2lZ 


= df 


l<PljZ U 1-P2]Z 


liaMv 


= df 


{s 1 3 s', s 4 s' A s' € mZ} 


if^x.m 


= df 


n {SC5 1 cs} 



Table 4.1. The semantics of /i-formulas. 



are interpreted in the usual fashion: s satisfies -•'P if it does not satisfy 
and s satisfies <Pi V <p 2 if it satisfies either (Pi or <p 2 - The modal operator (a) 
is interpreted as s satisfies {a)(P if it has an a-derivative satisfying <P. The 
interpretation of fj,X.<P is somewhat complicated and depends on a fixpoint 
characterisation^ given by Tarski and Knaster [Tar55, Kna28]. 

Recall that the powerset of any set M together with set inclusion as partial 
order, union as join, and intersection as meet forms a complete lattice. By 
the Tarski-Knaster Theorem 2.2.2, any monotone function / : M — >■ M has 
a least fixpoint, ^/, and a greatest fixpoint, vf , given by 

^if = (^{NCM\ /(iV) CiV}, and 
= NCf{N)}. 

In case of the modal y:i-calculus the syntactic restriction on bodies of 
fixpoint formulas and the semantics of the other logical operators ensures 
that the function / defined by 

f{S) =df 

is monotone for any valuation V (cf. [Cle90]). Thus it has a least, respectively 
greatest, fixpoint which is taken as the semantics of ^X.<P, respectively vX.<P. 
If the underlying labelled transition graph is finite-state, every monotone 
function / over the powerset lattice of states is also continuous. Therefore, 
the least, respectively greatest, fixpoint of / can iteratively be computed. In 
particular, we have 

yx.m = U ,f(0) and {vX.m = f| nS). (4.1) 

ielN ielN 

Finally, for closed formulas it can be shown that the semantics is inde- 
pendent of the valuation, i.e. that we have = |^lv 2 > valuations 

Vi and V 2 . In this case we shall occasionally omit reference to the valuation. 

^ A good survey about the history of the various known fixpoint theorems is given 
by Lassez, Nguyen and Sonenberg in [LNS82]. 
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4.2.3 Continuity 

As pointed out by Stirling [Sti92], the iterative characterisation (4.1) of the 
semantics of fixpoint formulas is no longer valid for infinite-state systems. 
Consider, for example, the formula 

<P =df iyX.[b]Y A [a]X 

expressing “on every a-path after each 6-transition Y is always true” . That 
the semantics of ^ is, in general, not continuous in Y may then be illustrated 
by means of the labelled transition graph Y given in Figure 4.1. This infinite 
transition graph is finitely-branching and moreover, even context-free since 
it is generated by the BPA specification C = {A = aAB + h,B = h}. 




Fig. 4.1. A context-free labelled transition graph. 



Now let the semantics of with respect to the valuation of Y be abbreviated 
by 

f{S) l,^X.[b]Y A[a]Xlly^s] 

and assume that Y holds for e,B,B^, . . . . This implies that all processes of 
T satisfy <?, i.e. we have 

/({ B^ I j G N }) = { I j G IN } U { AB^ I j G IN } = 5. 

In contrast, assuming that only every finite sequence of processes e, B , B^ , . . . , 
B^ satisfies Y yields merely the set {e, B, B^ , . . .} as the semantics of <?, i.e. 
in this case we obtain 

U f{{B^ I 0<t<j}) = {B^ I jGN}. 

From this we deduce that the function / is not continuous. 

Nevertheless, in the general case we always have the weaker inclusion 

U rmcl^^Y.<l>jZ 

igIN 
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for least fixpoints. Equality holds again if we introduce iteration over trans- 
finite ordinals a mathematical notion which deals with counting beyond the 
natural numbers. Accordingly, the least transfinite ordinal is associated with 
the set of natural numbers and, as usual, denoted by w. Using iteration over 
transfinite ordinals the semantics of ^Y.<P with respect to T, for example. 



may be computed as follows. 






pm 


= {B^ 1 


0 < i < j }, J G N 


rm 


= {B^ 


1 j G N } 


Z‘^+2(0) = /‘^+1(0) 


= {B^ 


1 j G N } U { AB^ 1 j G IN } = 5 



Hence in our particular example the least fixpoint of / is already reached 
by iterating one more step beyond to. Considering the labelled transition 
graph T this fixpoint property is intuitively clear, as the least fixpoint of / 
corresponds to the closed ^-formula 

fiY.nX.[b]Y A [a]X 

which expresses that “on every {a,b }-path only finitely many 6-transitions 
can occur” . 

4.2.4 Alternation Depth 

When analysing the complexity of algorithms dealing with formulas it turns 
out that the number of nested alternating quantifications occurring in a for- 
mula often plays a crucial role. The appropriate notion for /r-formulas is called 
alternation depth and was introduced by Emerson and Lei [EL86]. The def- 
inition of alternation depth assumes that the formulas are given in Positive 
Normal Form (PNF), i.e. in negation- free form such that all bound variables 
are disjoint. This assumption does not impose any restriction, since every 
/i-formula can be translated into an equivalent formula in PNF by means of 
the transformation given in the following lemma (cf. [CKS92]). 

Lemma 4.2.1 (PNF Transformation). 

Let <P he a closed ^.-formula. Then can be translated into an equivalent 
formula in PNF in 0{ \(P \ ). 

Proof. The translation is done by driving the negations in using the following 
rewrite rules, and by renaming variables as appropriate. 



-■tt 




ff 




-A 


<P 




-A 


(-■<6i) A m<L>2) 


P{a)<P) 


-A 






-A 


nX.p^pX/X]) 
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The resulting formula is negation-free due to the restriction that bound vari- 
ables may only occur within the range of an even number of negations. □ 



The nesting depth of fixpoint operators occurring in a formula may now be 
formalised as follows. 

Definition 4.2.5 (Alternation Depth). 

The alternation depth of a formula <P in PNF, denoted by ad{<P), is induc- 
tively defined as: 

1. If <P contains proper closed top-level a-subformulas <Pi = aXi.Ti, 

T>n = aXn-Tnt then 

ad{<P) =df max{ ad{d>[tt/(l>i, , tt/<Pn]),ad{<Pi), . .. , } 

where . . . , tt/Fn] means the formula obtained from T> by re- 

placing each <Pi with tt. 

2. If <P does not contain any proper closed top-level u -subformula, then 

a) If (P is of the form tt, ff, or X then ad{<P) =jf 0. 

b) If<I>is either Ti\/T' 2 , orT'iAT '2 then ad{T>) =jf max{ ad(tf' 2 ) }■ 

c) If<l> is either {a)T, or [a\T then ad{<P) =df ad{T). 

d) If = aX.T then 

ad{<T) =df max{ 1, ad{T), 1 -|- ad{d-Xi.Ti), ... , 1 -|- ad{aXn.Tn) } 
where a denotes the dual fixpoint operator of a, and aXi.Ti, ..., 
aXn.Tn are the top-level a-subformulas ofT. 

The alternation depth of a formula ‘T which is not in PNF is defined as 
ad{T>') where <P' is obtained by transforming <P into PNF. In the remainder 
of this monograph the set of all /i-formulas with alternation depth k shall be 
denoted by T/ifc. 



4.3 Assertion-Based Semantics 

In the standard semantics the validity of a formula is defined with respect to 
single states. This notion cannot directly be adapted to sequential infinite- 
state processes: the truth value at the start state might not be the same 
in different contexts, i.e. for different continuations^. However, if the con- 
tinuations satisfy the same sets of formulas, then so does the start state of 
the sequential process in these contexts. This observation is the key to the 
assertion-based semantics: It is consistent with usual semantics to view a 
process as a property transformer, i.e. as a function which yields the set of 
formulas valid at the start state, relative to the assertion that the tuple of sets 
of formulas to which the transformer is applied are valid at the end states. 

® Note that we are dealing with forward modalities. Thus the validity of formulas 
“propagates” backward. 
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In this section we introduce the assertion-based semantics of /i-formulas. 
It may be interpreted as an extension of the ordinary semantics which allows 
to control the validity of formulas at certain states relative to assertions. 
Subsequently, the dual point of view is elaborated, where states are associated 
with the set of formulas that they satisfy under some given assertion. This 
point of view yields the second-order semantics, which is the key to our model 
checking algorithm. 



4.3.1 A Motivating Example 

To demonstrate the motivation behind our approach we give a simple exam- 
ple. We consider the /x-formula <P =jf vX.{a)X which, intuitively, expresses 
the property “there exists an infinite a-path”. The closure of the formula 
is then the set { <?, (a)^ }. 

When interpreted with respect to the finite state system FS\ given in 
Figure 4.2 which has the three states sl,s2 and s3, we clearly have that all 
three states satisfy as well as {a)(p. Interpreting with respect to the 
second finite state system FS 2 yields similarly that and {a)d> hold for all 
states tl, t2, t3 and M. 




Fig. 4.2. Two simple finite state systems. 



Observe, however, that the validity of <P for si, respectively tl, only de- 
pends on the validity of (P for s2, respectively t2. Given a formula <P, we may 
therefore abstract from the behaviour of the system to the right of the dashed 
line by fixing at the border line the set of formulas F G CL{<F) valid for the 
process which starts there. Moreover, we may now vary the set of formulas 
which are assumed to be true for the state on the border line, resulting in a 
functional dependency between the set of formulas valid for the start state, 
and the formulas which have been fixed at the border line. The corresponding 
picture for our finite state systems and the formula <P is shown in Figure 4.3. 
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<1), <a><I) 



a 



b 



Fig. 4.3. Assertions and the resulting functional dependency. 



The set of formulas which have been fixed is drawn in the rectangular box, 
while the formulas which are as a consequence true for the start state are 
shown in the rounded box. In particular, only two cases are of interest here: 
first the system on the right-hand side has an infinite a-path, represented by 
the fixed set { <P, {a)<P }, which implies the existence of an infinite a-path also 
from the start state, and secondly, the system to the right of the borderline 
has no infinite a-path, expressed by the set 0, which clearly yields that under 
this condition no infinite a-path can evolve from the start state. 

4.3.2 Definition of Assertion-Based Semantics 

In the remainder of this chapter we formalise the ideas demonstrated by the 
previous example by introducing the assertion-based semantics which will 
subsequently lead to the notion of property transformer describing condi- 
tionally the behaviour of processes. 

Definition 4.3.1 (/i- Assertion). 

Let T = (5, Act, — >■) he a labelled transition graph. A /r-assertion Q is a partial 
mapping S — 2^^, i.e. it assigns sets of formulas A C L/a to states s G S. 
The assertion set induced by L2 with respect to a formula <P is then the set of 
states defined by { s G 5 | G Q{s) }. 

As usual, we denote the domain of f2 by dom{L2), and the image of 17 
by im{f2). An assertion is said to be finite if dom{Q) and each A G im{fi) 
are finite. Moreover, if dom{fi) is finite the assignments can explicitly be 
enumerated as [si \= Ai , ... , s„ |= Z\„] (or [sj |= for short) where the 

Si are states of S, and the Ai are sets of formulas. Accordingly, the empty 
assertion will be denoted by []. For ease of notation, we write I7[s \= A] for 
the assertion which behaves as 17 except that the binding of s is updated to 
A. Finally, we denote by 17 fl Z\, for A C L/i, the /r-assertion 

(l7nA)(s) =df I7(s) nA, 

as well as by V \ dom{Q) the valuation defined as 
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(V \ dom{Q)){X) =df V{X) \ dom{fl). 

Intuitively, an assertion Q =[si\= expresses that a state Si satisfies 

exactly the set of formulas Ai. This goal is achieved by considering the usual 
semantics of a formula for states not affected by 17, while assuming at the 
same time that holds for all states 17“ Given a set of states S, the 
effect of an assertion 17 on S' is therefore formally defined as^ 

21^ (S) S\dom(f2)Uf7“i(<?) 

The assertion-based semantics (ABS) of a ^-formula is now given in Ta- 
ble 4.2. It is defined with respect to a labelled transition graph T, a valuation 
V, and an assertion 17. 



[^1 
[-<?] 
/ V 



T 

v,n 


=df 


AS (5) 


T 

V,Q 


=df 


aS(V(X)) 


T 

v,r? 


=df 




r 

v,r? 


=df 


(ml.n'JW'll.o) 


T 

v,r? 


=df 


€ 5 1 3 s' e 5. s 4 s' 1 


r 

v,r? 


=df 


A« (H { “S' 1 Wlv[x^s],n 






cs}) 



Table 4.2. The assert ion- based semantics of /r-formulas. 



4.3.3 Properties of Assertion-Based Semantics 

In the remainder of this section we explore the properties of the assertion- 
based semantics. They will constitute the foundation for the model-checking 
algorithm we are going to develop in Section 4.4. We start by comparing 
the assertion-based semantics with the ordinary semantics for the modal /x- 
calculus. 

As the next lemma shows the assertion-based semantics is a conservative 
extension of the ordinary semantics since it coincides with the ordinary se- 
mantics when the given assertion is empty. Moreover, the lemma expresses 
that assertions may overwrite the bindings of free variables for states con- 
tained in its domain. 

Lemma 4.3.1. Let T = (5,Act, — >■) he a labelled transition graph, <P he a 
formula and V a valuation. Then we have 

Mv.[] = 

I^lv.17 = l'^lv\dom(a),a 

Throughout we will use the convention that \ has higher precedence than U. 



4 
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Sketch. In both cases the lemma can be shown by straight-forward structural 
induction on <P. For the first case we have to observe that []~^(^) is always 
the empty set, while the second claim follows directly from the definition of 
the assertion-based semantics for variables. □ 

An important observation is that only the part of the assertion 17 which 
concerns the subformulas of is significant for the assertion-based semantics. 
This is similar to valuations, where only the bindings of variables occurring 
free in <P must be taken into account. 

Lemma 4.3.2 (Subformula Property of ABS). 

Let T he a labelled transition graph, <P he a formula, fl be an assertion, and 

V he a valuation. Then we have 

I^lv.rs n SF(<s) = 

Sketch. The important point to observe is that for each s G dom{fI), and 
each T G SF{(L) we have 

T £ f2{s) iff G (17 n S'F(^))(s). 

The lemma can then be shown by structural induction on d>, since the seman- 
tics of depends only on the semantics of subformulas T which are elements 
oiSF{^). □ 

The next result shows that the assertion-based semantics is monotone 
with respect to valuations, as well as assertions in the following sense. 

Lemma 4.3.3 (Monotonicity of ABS). 

Let T he a labelled transition graph, <P be a formula, FI he an assertion, and 

V be a valuation. 

1. Lf every free occurrence of X in <P is within an even number of negations 
then the mapping 

4>{S) =df 

is monotone on 2^ . 

2. If is a subset of SF{<P)~ then the mapping ip defined by 

) =df Wv,r2[s|=zi+u/i-] 
is monotone between SF{<P)'^ and 2^ . 

Proof. The first part can be proved following the lines given in [Cle90] for 
ordinary semantics. A function over 2“^ is said to be anti-monotone if C S 2 
implies f{Si) A /(S' 2 ). The proof is then accomplished by showing the slightly 
stronger result that the function 

f'iS) =df I^lv[XM-s].r2 
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is monotone if X appears under an even number of negations, while anti- 
monotone if X appears under an odd number of negations, respectively. This 
follows by straight-forward induction on the structure of ^ from observing 
that V and (a), for each action a, are monotone operators, whereas -■ is 
anti-monotone. 



To prove the second part we need again a slightly stronger result. Let 

* : SF(i>r X SFm-. ^ 

Then ij) is monotone in the first argument, while anti-monotone in the second. 
This is shown by structural induction on Since most cases are routine we 
prove only the case for <P = Here we have 



iP{A+,A~) 



J'v,J7[sh/l+UZi-] 



Now by induction hypothesis 

is monotone in A~ , and anti-monotone in Z\+. Since -■if' G we also 

have that is monotone in A~^, and independent of A~ . Overall, 

l7[s|=-=4+UZi-] 

this yields the monotonicity of 



m 



T 

v.r3[sh-4+uzi-] 



with respect to A~^, as well as the anti-monotonicity with respect to A 
which proves the lemma for <P = -■!?'. □ 



As in the case of ordinary semantics we can establish a link between the 
syntactic notion of substitution and the semantic notion of valuation binding 
(cf. [Cle90]). Subsequently, this link will allow fixpoint formulas to be syntac- 
tically unrolled without change in the semantics. However, we must impose 
some consistency condition on the given assertion which will be important 
when considering equational formulas in Section 4.4.1. 

Lemma 4.3.4 (Substitution Lemma for ABS). 

Let T = (5, Act, — >■) be a labelled transition graph, <P and 0 be formulas, X 
be a variable, fi be an assertion, and V be a valuation. If 12 satisfies the 
consistency condition 

^[0/X] gA iff <PgA, 

for all A G im{f2), then we have 

\^[0/X]}J;q = 

Proof. The proof is done by structural induction on d>. Here we consider only 
the most interesting cases <L> = X and <d> = pY.'F. The others are routine. 
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— li <1> = X then 

lX[0/X]ll^^ = = ^nml,n) = Mvix^ieir ^ ,,^2 

since we know that for all s G dom{f2) we have 

s G V9}v,n iff 6) G f2(s) iff X G f2(s) iff s G f2~^(X) 

— If ^ = /icV.<P then 



[fcv.<P[o/x 



[by induction hypothesis] 

^ ^ kn{>5'C5 I - ‘^}) 

[by def. of subst. we may assume that Y is not free in O] 

„„r,»[e,x|(n{scs I 

[since ixY.'P[0 / X] G f2(s) iff ^Y.W G l?(s), V s G dom{^2)] 

(n { “S' C 5 I 

^].n 



Corollary 4.3.1 (Fixpoint Unrolling). 

Let T he a labelled transition graph, p.X.L' he a fixpoint formula, fi he an 
assertion, and V be a valuation. If fl satisfies the consistency condition 

PlX.L' G a iff ^ G A iff ^[plX.L>/X] G a, 

for all A G im{fi), then we have 

iPiX.nz,n = mh^x.M/x]iz^^. 

Proof. Abbreviating P| { >5' ^ *5 | Il^lv[Xh->.s] ^2 ^ >5' } by S'^, we observe that 
due to the consistency condition p,X.W G A iff I' G A, for all A G im(f2), we 
have 



ItrX.nZ.n = (4.2) 

Since 17 also satisfies L'[plX.L'/X ] iff if" G A, for all A G im(l7), we may 
apply Lemma 4.3.4 to obtain 



Mt^X.L'/X]}^^ 
= S, 



[by Lemma 4.3.4] 

[by equation 4.2] 

[by fixpoint property of Sfj] 

[by equation 4.2] 

□ 
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Correct assertions which assume exactly the set of formulas valid for a 
state will play an important role in our theory. In order to make this notion 
precise we introduce the satisfiability set of a state as follows. 

Definition 4.3.2 (Satisfiability Set). 

The satisfiability set of s wrt. T>,T,V and Q, denoted by Sat{s,d>)^ q, is 
inductively defined as the least set of formulas satisfying the rules given in 
Table J^.3. 




Intuitively, Sat{s, d>)T^ q is the set of subformulas of which hold for the 
state s in the transition graph 'T with respect to the valuation V and the 
assertion Q. 

A direct consequence of the subformula property of the assertion-based 
semantics as stated in Lemma 4.3.2 is that assertions occurring in the defini- 
tion of satisfiability sets may also be restricted to the appropriate subformulas 
without changing the resulting sets of formulas. 

Lemma 4.3.5 (Snbformula Property of Sat Sets). 

Let T = (5, Act, — >■) be a labelled transition graph, <P be a formula, Q be an 
assertion, and V be a valuation. Then we have, for any state s € S, 

^)v.r2n SF(<f) = Sat{s,<P)J^Q. 

Sketch. The lemma is shown by straight-forward induction on the structure 
of ‘T. The proof relies on the subformula property of the assertion-based 
semantics given in Lemma 4.3.2. □ 

Moreover, the notion of monotonicity can also be applied to satisfiability 
sets. Since this notion of monotonicity is, however, somewhat complicated we 
first give the appropriate definitions. 
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Definition 4.3.3. Let denote the restriction of A C SF{<P) to SF{<P)^ , 
and analogously A~ =^f A fl SF{<P)~ . Then we define the partial order Qsat 
on by 

Ai Esot A 2 iff Af C Z\+ and Af A A f . 

Lemma 4.3.6 (Monotonicity of Satisfiability Sets). 

Let s be a state of the labelled transition graph T = (5, — >■), <P be a 

formula, fl be an assertion, and V be a valuation. Lf every free occurrence of 
X in<L is within an even number of negations then the mapping which assigns 
the satisfiability set of s with respect to the interpretation a 

S C S is monotone, i.e. 

Si C S 2 implies Sat{s, ].r2 ^sat Sat{s, <?)v[ ].f2 

Proof. The lemma is shown by means of the slightly stronger result which 
states that the mapping 

is monotone if every free occurrence oi X in <d> is within an even number 
of negations, and is anti-monotone if every free occurrence of X appears 
negatively in L>. Since most cases are routine we only consider the case (L = -AT 
and X occurs positively in T. 

Let S\ Q S 2 . Since every free occurrence of X in <P is within an even number of 
negations we know by monotonicity of the assertion-based semantics (Lemma 
4. 3. 3(1)) that 

s G implies s G Mv[x^S 2 ],r 2 (4-3) 

Moreover, since every free occurrence of X in If" is within an odd number of 
negations we obtain by induction hypothesis 

Sat{s,F)y^x^S2],o Esat Sat{s,F)y^x^Si],nj 
and hence 

{Sat{s,F)J^^x^S2],n)~'~ E {Sat{s,F)'^^x^Si],n)^ (4-4) 

{Sat{s,F)'^^x^Si],n) — i^^^i^T^)v[x^S2],o) (4-5) 

From this we, finally, conclude 

{Sat{s, 

= [by (4.3) and (4.5)] 

{-'If' I s G } U (S'at(s, ]^^) 

C {-iiF I s G |“'!f'lv[XH->.s2],r2 } 

= (>S'af(s,“''?')v[Xh->.S2].r2)^ 
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Analogously, C (5at(s, is deduced 

by means of (4.4). Overall, this shows, as desired, that 

~'^)v[ JCh-s-Si ],17 Esat Sat{s,->^)y^x^S2],n 

□ 

The assertion-based semantics can now be shown to be “consistent” in 
the sense that we always may extend assertions with the satisfiability sets of 
arbitrary states at arbitrary places. 

Lemma 4.3.7 (Extension Lemma). 

Let T = (5, Act, — >■) be a labelled transition graph, <P be a formula, 17 be 
an assertion, and V be a valuation. Then we have, for any set of states 
{ s, si, . . . , Sn } C 5, the following equalities. 

Proof. Both parts of the lemma will be shown by induction on n. To start 
with, we prove the following claim. 

Claim 1: For any single state s G S, we have 

Proof. To shorten notation we abbreviate the assertion I7[s ^ Sat{s,<I>)^ q] 
by 17„. If s € dom{n) we have by definition Sat{s,(L)T^ q = 17(s) 0 SF{<P), 
and hence I7g fl SF{<P) = 17 fl SF{<F). So in this case the claim trivially holds 
by Lemma 4.3.2. 

Let us now assume that s ^ dom{L2). First note that 

sGL2-^{<P) iff $ G Sat{s,^)lf^ iff sGml^a (4-6) 

always holds. In the proof we will then use the fact that s G |l?]v i? be 
reduced to membership of s in the semantics of the “unfolding” of whenever 
s ^ dom{Q). 

The proof of the claim for the case s ^ dom{L2) is now accomplished by 
structural induction on <P. 

1. ^ = tt. Then obviously 

|tt]y (5) = 5 \ dom{L2a) U I7s~^(tt) 

= 5 \ dom{n) U f?-i(tt) = 2t}|(5) = 

since by (4.6) s G l75~^(tt) iff s € |tt]y where the latter always holds. 
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2. <P = X. In this case we obtain 

^oSnx)) = V(X) \ domm U f2x\X) 

= V{X) \ dom{Q) U Q-\X) = 2l^(V(X)) = 

since 

sGV(X) iff X € Sat{s,X)l!^ iff s€ns~^{X) 

i.e. if s is removed from V{X) by set subtraction wrt. dom{f2g) it will be 
added again through 

3. <P = Then we deduce 

= {S\mloJ\dom{as)uns-\^^) 

= [by Lemma 4.3.2] 

{S \ I'^l v,j7[shSat(s,^f') J J n SF(<f)) \ dom{ns) U ils (-•<?") 

= [by definition of Sat] 

\ I'^lv,r2[shS'at(s,F)F ^]) \ dom{Qs) U (“'S') 

= [by induction hypothesis] 

{S\ml,n)\dommvjns-\-^1') 

= [since s € S \ iff s G 

{S\ml^^)\dom{n)un-^{^dr) 

= h'^lv.r? 

4. ^ = if'i V i? 2 , and 5. <P = {a)'F follow similar lines as case 3. 

6. (p = fjiX.^. Let 

Sn n {5 C 5 I and 

I mZix^s],o.^S}. 

As we have 

lliX.’l'l'y Q = Sn\dom{f2)U f2~^{fj,X.W), and 
= Sn, \ dom{Qs) U f2s~^{fxX.d') 

as well as the property s G 5'i7 iff s G it is sufficient to prove 

that Sn = Sn,- To start with, we show Sn, Q Sn- 
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= [by definition of f2g] 

I^lv[XM-Sn ],f2[s\—Sat{s,fiX.'I^)^ 

= [by Lemma 4.3.2[ 

I^lv[XM-Sn ],t2[s|=Sai(s,/iX.!f') J „] n SF(<?) 
= [by definition of Sat] 

I^lv[XM-So].t2[s|=Sai(s,F)F 

= [by Lemma 4.3. 1.2] 

[•^IvlX^Sn ],t2[.hSai(s.F)r 

= [by induction hypothesis] 

C [by definition of S'r?] 

So 



From the least fixpoint property of Sq^ we may now conclude Sq^ C So- 
For the other direction observe that the following holds. 



C 



c 



[by induction hypothesis] 

[due to S'j 7 ^ ^ Sq and monotonicity] 
[by Lemma 4.3. 1.2] 



I'^l 



r 

V[XM-Sn^ ],fi[s|=-Sai(s,'?) 



T 

V[X^ 






[by definition of Sat] 

I^lv[XM-Sn^ ],n[^\=Sat{s,tiX.i')l^^] n SF(F) 
[by Lemma 4.3.2] 

],nis\=Sat{s,f,X.i')l^^] 

[by definition of f2g] 

I^lv[XM-SnJ.t2, 

[by definition of Sq^] 

So. 
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The least fixpoint property oi S a now yields the remaining inclusion 

So Q So.. 

This completes the proof of Claim 1. □ 

Next we prove that satisfiability sets as well are not affected when extending 
the assertion Q with correct assertions. 

Claim 2: For any states s, s' G S we have 

Proof. The claim is shown by structural induction on <1>. The base cases hold 
due to the equivalence 

<P € Sat{s', 
iff s' G 

iff s' G [by Claim 1] 

iff G 

(4.7) 

Now assume Claim 2 holds for all W The case <P = is then shown 

by 

which follows from (4.7), and 
Sat{s',<P)'{fj^ 

= [by induction hypothesis] 

Sat{s ^'^)v^a[s\=Sat{s,^)f J 
= [by definition of Sat] 

Sat{s , '^)Z,0([s\=Sat{s,<l>)f;^^] n SFi^f )) 

= [by Lemma 4.3.5] 

Sat{s j'^)v^a[s\=Sat{s,'i>)f,^^] 

The remaining cases follow similar lines. This proves Claim 2. □ 

To ease notation we will abbreviate in the remainder of the proof Sat{si , <P)^ q 
by A^. 

The second part of the lemma is now shown by induction on n. For n = 
0 the lemma obviously holds. Now assume the lemma holds for n states 
si, . . . ,SuGS, and let s„+i G S. Then we deduce 
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Sat{s,<P)l!^ 

= [by induction hypothesis] 

Sat{s, 

= [by Claim 2] 

= [again by induction hypothesis] 



Finally, we prove the first part of the lemma also by induction on n. For 
n = 0 the lemma trivially holds. Now assume the lemma holds for n states 
Si, . . . , s„ G 5, and let s„+i G S. Then we conclude 



mz,n 

= [by induction hypothesis] 
= [by Claim 1] 



V,S^[si\=Ai 



1^1 V,t2[si |=Zii]”^ j [s„+i |=Sat(s„+i 

= [by the second part of the lemma] 

1^1 V,t?[si |=Zii]”^ j [s„+i |=Sat(s„+i ,$) J 



This completes the proof of the lemma. □ 

Next we investigate the relationship between reachability in the labelled tran- 
sition graph and the assertion-based semantics. 

Definition 4.3.4. We call T' = {S', Act, — >■') a closed component of the 
labelled transition graph T = {S, Act, — >■) if 

1. S' C 5, 

2. — )■ = — y I , and 

3. S' is closed with respect to out-going transitions, i.e. s € S' and s A s' 
implies s' € S' . 

Since the modal ^-calculus is defined in terms of forward modalities, it 
turns out that the semantics of formulas on closed components of labelled 
transition graphs only depends on the behaviour of the states of the closed 
component at hand. 
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Lemma 4.3.8 (Closed Component Lemma). 

Let T = — >■) he a labelled transition graph, T' = {S' , Act,^') he 

a closed component of T, he a formula, fi he an assertion, and V be a 
valuation. If we abbreviate by 12' , and V fl 5' by V, respectively, then 
we have 

1 . = 

2. Sat{s,L>)y Q = Sat{s,<P)y, q,, for any s G S' . 

Proof. The first part of the lemma will be shown by structural induction on 
<P. 

1. <? = tt. Then 

Itt]^,, n 5'= n 5' = n S') 

= 2[s,(5') = [tti^:.^, 

2. L> = X. Then 

IX]1^ n 5'= 21 ^ ( V(X)) n 5' = 21 ^, iv{x) n 5') 

= 2l^,(V'(X)) = 

3. ^ Then 

= ^fr{s\mia)(^s' 

= ^f,f{S'\{lwU^^ns')) 

= [by induction hypothesis] 

4. <P = L''y >P". Then 

= 2tS'/'^"((ri^,^ n 5') u n S')) 

= [by induction hypothesis] 

5. d> = {a)\L. Then 
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— ({ ■^ G *5 I 3 s' G 5. s — >■ s' and s' G }) H S' 

= ({ s G 5' I 3 s' G 5. s — >■ s' and s' G |'?']v,j 7 }) 

= [5' is closed and V s' G 5' we know by induction hypothesis 

5' G mv,o iff s' G mv,o n 5' iff s' G mV, O'] 

s G 5' I 3 s' G 5'. s 4 s' and s' G mV,n' }) 

= imV,o' 

6. <P = ij,X.^. 

The proof of ^ n 5' = l^XmV O' '"'iff accomplished by 

showing both inclusions. 



6.1. l^iXmV,0' C lfiXmZ,or^S': 

Let S C S satisfy (*) I^ly[ ^^^ 5 ] q — i^i' ^ ^ - Then we 

have by induction hypothesis the inclusion 

mVix^s'io' = mVx^s],o^^' ^sns' = s' 

which shows that any set of states S satisfying (*) fulfils due to the least 
fixpoint property also 

l^ixmV,o' c = QiV^ '^{S)ns' 

Taking in particular S =df P| { >5' C 5 | I^'lvfXh-s-s] o — finally, 

obtain 



l^ixmz:^^, 

= lf,xmZ,n(^S' 

6 . 2 . l^^xmz^^ns' cl^,xmV,o'■■ 

Let S' C S' satisfy (**) [^lv'[Xi->-S'] O' — order to extend S' to 

some appropriate subset S C S such that S satisfies 



I'^l 



r 

v[Xi->-s],r2 



C S 



we define the function cps' which maps subsets of S', the complement of 
S' with respect to 5, to subsets of S' by means of 

fs'{S) =df [^lv[jfM-s'us],r 2 



Since ips' is monotone on 2^' , ips' has according to the Tarski-Knaster 
theorem a least fixpoint, denoted by iiips'- Now let S =df S' U iups'- 
Then we conclude 
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C 



[by fixpoint property of ^l^ps'] 
d^l'^ n 5') U ^^ps' 

[by induction hypothesis] 

W\v'[x^S'],n' 

[by definition of S'] 

S' U pips' 

S 



From this we see that whenever (**) holds for a set of states S' we also 
have by the least fixpoint property the inclusion 

lpX.nZ,o n 5' c n 5' = K^ '^{s n 5') = %^ '^{s') 

In particular for -5" =df n { -S' C 5' I Ml'px^sio' Q S} we hence 
obtain 

IpX.'FjZ^^ns' 

c c 5' I mV[x^s],o' ^s}) 

= lpX.nV,0' 

Now the second claim of the lemma follows from the first one by induction 
on the structure of <?. □ 

The satisfaction set of a state can be considered as an assertion that 
characterises its behaviour. In fact, we can show that pruning the transitions 
of a state which is assumed to satisfy its satisfaction set does not change the 
considered assertion-based semantics. 

Definition 4.3.5 (Pruning of Transitions). 

Let T = (5, Act, — >-t) be a labelled transition graph, and S' = { si, . . . , s„ } C 
S be a set of states. If we prune the transitions of S in T we obtain the 
labelled transition graph Ts which coincides with T except that all out-going 
transitions of the states Si are deleted, i.e. Ts =dt {S,Act,^q-g) where 

— ~df — ^ 7 " \{ ^ I 1 S ^ S 7T, a C Act, s C S }. 

Lemma 4.3.9 (Expressiveness of Assertions). 

Let T = {S, Act, — >-t) be a labelled transition graph, <P be a formula, fl be an 
assertion, and V be a valuation. Given a set of states S = { si, . . . ,s„}CS, 
let Ai be the satisfiability set of Si, i.e. Ai =jf Sat{si,d>)T^ q. Then we have 
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Proof. Both parts of the lemma will be shown by induction on n based on 
the following two claims. 



Claim 1: 






T 

V,f2[s\^Sat{s,^)^ 



m 



Ts 

V,0[s\^Sat{s,^)^ ’ 



and 



Claim 2: Sat{s' 

The proof of the first claim will be accomplished by structural induction on 
<P. To shorten notation we will abbreviate the assertion I7[s ^ Sat{s,<l>)T^ q] 
by fig. The base cases are <P — tt, where we have 

and <P = X, where we know 

= Wv>,- 



Now assume the lemma holds for all 'P A+ P>. Applying the induction hy- 
pothesis we observe that 



I'^'l 



r 

V,Qs 






(4.8) 



since we have 

W\v,Q^ 

^ I^lv,l7[s|=-Sat(s.‘f)v,nln'S-F’(!f') 

^ I^lv,l7[s|=-Sat(s.'f')v,nl 

= [again by Lemma 4.3.2] 



[by Lemma 4.3.2] 
[by definition of Sat] 
[by induction hypothesis] 



For <P = -i<F we then conclude by means of equation (4.8) 

= 2t0!(5 \ mZ.nJ = 21))! (5 \ 

The case <P = P' \/ P" follows similar lines since (4.8) also holds for each 
immediate subformula of P>. Most interesting is the case P = {a)P. First 
remark that obviously 

S \ dom{Qs) = S' \ dom{fis) implies 2l^^'^(5') = 2l^^^(S'^) 

(4.9) 



for any S', S' C S. Using (4.9) we then conclude that 
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= t \ 3t'.t At t' and t' G }) 

= [by equations (4.8) and (4.9)] 

t \3t'.t At t' and t' G MIAs }) 



In order to prove the last case <P = ^X.W we apply the induction hypothesis 
to V[X i-G S'] instead of V yielding like in (4.8) 






(4.10) 



from which we conclude 

= Kf'^ifUscs 1 ri^[^^5]Acs}) 

= [by equation (4.10)] 

2t(^f'"(n{5cs I rij[x^5]Acs}) 

□ 

The second claim can now be shown straight-forwardly by structural induc- 
tion on <P using Claim 1. 

Finally, the lemma itself is shown by induction on n simultaneously for 
both cases. If n = 0 both parts are obviously valid. Now assume that the 
lemma holds for n states si, . . . , s„, and let s„+i G S. Then we conclude 



1<1>V 



v,n 



= [by induction hypothesis for 1.] 
= [by Lemma 4. 3. 7(1)] 



m 



r,, 



= [by Claim 1] 

'>».'>» + ! 

= [by induction hypothesis for 2.] 



m 



A, 

V,i7[si |=Zii]”^ j [s„+i |=Sat(s„+i ,<f ) J 



= '’"+1 



as well as 
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Sat{s' , ^)v 17 

[by induction hypothesis for 2.] 

[by Claim 2] 

Satis', , 

[by induction hypothesis for 2.] 

/ ^ +1 



This completes the proof. □ 

The importance of the assertion-based semantics for the verification of 
sequentially composed processes is now revealed by the following theorem. 
Intuitively, it expresses that the verification problem for a sequential compo- 
sition of processes may be decomposed into subproblems for the component 
processes if we know the set of formulas valid for states where the first com- 
ponent terminates and the second starts to react. 

To fix notation, recall that To; (7i, . . . ,%i) denotes the sequential com- 
position of the sequential labelled transition graphs 71, for 0 < i < n. Hence- 
forth, we will denote by T[' the embedding of 71 in To; (7i, . . . ,7^). Moreover, 
if f? is an assertion defined on To; (71, . . . , 7[^), we will abbreviate f2j 7 -/ by f?', 
while f2i denotes the assertion defined on 71 which yields 17' when embedded 
in To; (7i, . . . ,Tn). For valuations we use similar conventions. 

Theorem 4.3.1 (Compositionality of ABS). 

Let Ti = {Si, Act, -^i, Sio, (sii, . . . , Sm)), for 0<i<n, be n + 1 sequential 
labelled transition graphs, “L be a formula, 17 be an assertion, and V be a 
valuation. If we abbreviate the satisfiability sets of the terminating states of 
To, i.e. Sat{siQ,‘P)lj, q_, by Ai then we have 

= I^lvo,r2o[so,|=Zii]'Li Ul<i<nl^lvi,fii 

2 . S'at(soo, ^ ^)vo,r2obo»l=^i]"=i 

3. Sat{si,^)y°^’ ’’'^'^^ = Sat{si,<P)lf,j^,^ = Sat{sio,^)J},^^., for I < i < n 

Proof. The first equality of the third part follows from Lemma 4.3.8 since 7f 
is a closed component of To; (Ti, ... ,Tn)- Moreover, Ti and Tf are isomorphic 
structures which yields the second equality of the third claim. 

In order to show the first part let now 



Pi =df Sat{si,<P)y°^’"' and Ai =df Sat{si,<P)l},^^,^ 
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Then we conclude 

..r„) 

«v,r2 

[by Lemma 4.3.7] 

ir^|To;(ri.... ,r„) 

[by Lemma 4.3.9] 
[by Lemma 4.3.8] 



. }A 



m 



T' 



d«tl=A]”=, 



uU 



l<2<n 



m 






= [by part (3)] 

= [by Lemma 4.3.9] 

= [by isomorphism] 

I^lvt,r2o[soi|=^i]"=i Ul<j<nWvi,r2i 



Finally, the second part of the theorem is shown by structural induction on 
<P. The proof relies on the equivalence 

Soo G iff 500 G Wvo.r2oLod=^dr=, 

which follows immediately from the first part. □ 

The last step in the development of our theory is now to apply the compo- 
sitionality of assertion-based semantics to its dual point of view: satisfiability 
sets. This will lead us from assertion-based semantics to second- order se- 
mantics, the foundation for a sound and complete logical decomposition of 
sequential processes. 

Definition 4.3.6 (Property Transformer). 

Let T = {S, Act, — >■, so: (sij • ■ • , Sn)) be a sequential labelled transition graph. 
The property transformer of Sq with respect to a closed formula denoted 
by Isolif; is a mapping from to defined by 

|5ol5^(^n) =df >5'ai(s0) 

A property transformer thus computes the set of subformulas of T> valid 
for So if we assert at the terminating states Si the set of formulas Ai. That 
the second-order semantics is consistent with the usual semantics of processes 
in terms of its valid formulas, is stated in the following theorem. 
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Theorem 4.3.2 (Consistency). 

Let T = {S, Act, — >■, Sq: (sij • ■ • > Sn)) be a sequential labelled transition graph, 
and be a closed formula. Moreover, let =jf Sat{s,<P). Then we have 

<P € |solJ(4^n) So G ml 

Proof. The theorem is a direct consequence of the slightly stronger property 



iff G 5'at(so,^)v [by Definition 4.3.6] 

iff T G 5'ot(so,^)v [] [by Lemma 4.3.7] 

for any W G SF{<P), since sq G |^]v iff G Sat(so,^)y ^j. □ 

As for the assertion-based semantics we are now able to show composition- 
ality for the second-order semantics, corresponding in this case to function 
composition of property transformers. 



Theorem 4.3.3 (Compositionality). 

Let % = {Si, Act, -Gi, Sio, (sii, . . . , Sm)), for 0 < i < n, be n + 1 sequential 
labelled transition graphs. Lf <P is a closed formula, we have 

|sOol = |sOol O (|siol J ) ■ • ■ J |Sraol ) 

Proof. We fix an arbitrary n-tuple of formula sets A^, and define 

=df Sat{si,<L)J°'f^]f-,^J'^l and Ai 5'at(s,o, 

By Theorem 4.3. 1.3 we have Pi = Ai, for 1 < i < n. The theorem is then 
shown by 






■,TA, 



U<l> (^n) 

[by Definition 4.3.6] 



. ,r„: 



= [by Lemma 4.3.7] 

S'at(s00, 

= [by Theorem 4. 3. 1(2)] 

Sat(sQo, ^)v°[si|=ri]'Lj 

= [by Theorem 4. 3. 1(3)] 
Sat(soo,<P)^%^^A,]^^^ 

= [by Definition 4.3.6] 

= [by Definition 4.3.6] 

|sool5’(|siolJ (^n)) • ■ • I |SnolJ*(^n)) 



□ 
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Theorem 4.3.3 will play a major role in our model-checking algorithm 
which we are going to develop in the next section. Its importance lies in 
the fact that it allows to decompose the second-order semantics of composed 
processes into the behaviour of its constituents thereby providing the founda- 
tion for a reduction from model-checking the infinite-state transition graph 
to model-checking its finite representation. 



4.4 Verifying Behavioural Properties 

In this section we develop a model checker for pushdown processes which de- 
cides the alternation-free modal /x-calculus. The heart of the algorithm con- 
sists of determining property transformers for each fragment of the PDPA 
process under consideration which provide a compositional and sound de- 
scription of the logical behaviour of the pushdown process. 

In Section 4.4.1 we introduce hierarchical equational p,-formulas as our 
algorithmic representation of alternation-free /i- formulas. Subsequently, we 
present our model checking algorithm in Section 4.4.2. The effectiveness of 
our method is a consequence of the fact that it suffices to deal with the part 
of a property transformer which concerns the subformulas of the property to 
be investigated. 



4.4.1 Hierarchical Equational /x-Formulas 

To ease the development of our model checking algorithm we represent 
alternation-free /x-formulas by means of hierarchical equational pi-formulas 
(cf. [CS91, CS92]). In this formalism properties can be expressed much more 
concisely, since it supports the sharing of common subexpressions. Theoreti- 
cally, this may lead, in the best case, to an exponential reduction in the size 
of the formula, and practically, algorithms may take advantage of the saving 
and reuse of intermediate results. In this section we present the syntax and 
semantics of hierarchical equational /i-formulas, as well as the translation of 
ordinary ^-formulas into equational form. 

Syntax. 

Definition 4.4.1 (Hierarchical Equational /i- Formula). 

A p- formula of the form 

^^7 //) V A 2 , Xi A X 2 , {a)X, or [a]A 

is called a simple formula. An equational block aB is a list of mutually 
recursive equations B = (Xi = ,A„ = <Pn) where the Xi are all 

distinct variables, each <Pi is a simple formula, and a, called the parity of 
aB, is a fixpoint operator, i.e. is either p or v. An equational block pB is 
called a minimal block, while an equational block vB is also referred to as 
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a maximal block. Moreover, we denote by Var{B) the set of all left-hand 
side variables defined by B, and call an equational block aB closed if every 
variable occurring in a right-hand side of some equation in B is a member of 
Var{B). 

An equational /r-formula T = . . . ,amBm) is now a list of equa- 

tional blocks UiBi where the variables defined in all the Bi, denoted by 
Var{T), are distinct. As a special case, an equational ^.-formula T = 
{<JiBi,... ,(JraBra) Said to be hierarchical if the existence of a left-hand 
side variable of a block Bj in a right-hand side formula of a block Bi implies 
i < j. An equational p,- formula T is, finally, said to be closed if every vari- 
able occurring in a right-hand side of some equation is a member ofVar(iF). 



Intuitively, an equation X = represents a least fixpoint if it occurs 
in a minimal block pB, and represents a greatest fixpoint when occurring 
in a maximal block vB, respectively. An equational block aB can therefore 
be interpreted as a simultaneous least or greatest fixpoint depending on the 
parity cr. However, it is worth noticing that the order of equational blocks is 
semantically significant due to the presence of mutually recursive least and 
greatest fixpoints. 

Semantics. In order to define the semantics of an hierarchical equational p- 
formula T = {a\Bi , . . . , amBm) with respect to a labelled transition graph 
T = (5, Act,— >■), we first define the semantics of an individual block 

aH = (Ai =<t>i,... ,A„ = <?>„). 

Given a fixed valuation V, we may build a function /^y : (2*^)” — >■ (2*^)" 
representing the “evaluation” of B with respect to V as follows. Let G 
(2*^)”, and let 

V[ I— >■ Sn ] =df V[ Ai I— >■ Ai ] . . . [ Xn I— >■ Sn ] 

be the valuation that results from V by updating the binding of Xi to Si. 
Then 

/s.v('^n) =df ■ ■ ■ ’ ]) 

Now (2“^)" forms a complete lattice, where the ordering, join and meet op- 
erations are the pointwise extensions of the set-theoretic inclusion C, union 
U and intersection n, respectively. Moreover, for any block of equations B 
and valuation V, v monotonic with respect to this lattice and there- 
fore, according to the Tarski-Knaster fixpoint theorem, has both a least fixed 
point, pf]jy, and a greatest fixed point, v general, these may be 
characterised as follows. 

M/J.v = n { G (2^)" I flyiSn) C }, and 

^flv = U { G (2^)" I C /J,y(5„) }. 
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Equational blocks fj,B and vB are now interpreted as the least fixpoint of 
/b v> respectively the greatest, yielding valuations in the following fashion. 

Im-SJv = '— >■ m/J y ], and = V[X„ i— >■ ]. 

Given V, we finally define the semantics of T as |lF]v = Vi where Vi is 
obtained by means of the following sequence of valuations: 

El — |(Jii?iJy2 7 ■ ■ ■ 5 Ettj, — V- 

Intuitively, this sequence of valuations corresponds to a bottom-up evaluation 
of the hierarchy of equational blocks. The base case is given by the last block 
Bm which does not contain any variables from earlier blocks whenever T is 
hierarchical. During the evaluation process we then have the invariant that 
whenever the semantics of a block Bi is computed we already know the 
semantics of all its free variables which must by definition belong to blocks 
Bj with i < j. 

As for closed /i-formulas, the semantics |.7^]v of closed equational fj,- 
formulas T does not depend on V. Thus when T is closed, we omit refer- 
ence to V. Finally, we define the size of T , denoted by \T\, as the number of 
equations contained in T . 

The translation of a closed /r-formula ^ in PNF into an equivalent equa- 
tional /i-formula proceeds by generating successively equations for each sub- 
formula of where the parity is determined by the closest surrounding fix- 
point operator. Formally, we have 

Definition 4.4.2 (Translation of /i- Formulas into Equational Form). 

Let :: denote the concatenation of sequences. Then the recursive procedure 
trans which takes as input parameter a parity, a variable, and a pi-formula 
in PNF and outputs an equational pi-formula is inductively defined by the 
rules given in Table 4-4- With each closed pi-formula <P in PNF we associate 
the equational pi-formula T<s, =dt trans{pi, X, <F) where X is a fresh variable 
not occurring in T>. 

The translation of a closed /i-formula <F into its equivalent equational /t- 
formula can be performed in time 0{ |<?| ), and, moreover, we have that the 
size of the generated formula is the same as the size of the given formula 
<F, i.e. \T,p\ = \<F\. It is worth noticing that the translation given above yields 
equational /i-formulas of a particular form, since each generated block consists 
of exactly one equation. To remedy this algorithmically expensive structure 
Cleaveland, Klein, and Steffen [CKS92] developed optimisations which aim 
on reducing the number of blocks without change in the semantics of the 
root variable. We want also to point out that there exists a close relationship 
between the equational /t-formula and the Fischer-Ladner closure of a 
formula <F, since each equation in corresponds to a formula of CL{<P). 

Example 4-4-1- We illustrate the translation of /x-formulas into equational 
form by means of the property 
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trans((j, Y, tt) 


=df 


ct(Y = tt) 


trans(cr, Y, f f ) 


=df 


cr(Y = ff) 


trans(( 7 , Y, A) 


=df 


a(Y = A) 


trans(( 7 , Y, V ^2) 


=df 


cr(Y = Ai V A2) 

:: trans((T, Ai, ^1) :: trans((T, A2, ^2) 
where Ai and A2 are fresh variables. 


trans(cr, Y, A $2) 


=df 


cr(Y = Ai A A2) 

:: trans((T, Ai, ^1) :: trans(o-, A2, ^2) 
where Ai and A2 are fresh variables. 


trans((T, Y, fiX.<P) 


=df 


ct(Y = A) :: trans(/i, A, 


trans(cr, Y, uX.<l>) 


=df 


a(Y = X) :: trans{u, X,<P) 



Table 4.4. The rules of the procedure trans. 



^ =df vX.{h)t,t A {a)X 

which intuitively expresses that there exists an infinite a-path on which the 
action b is always enabled. Application of the procedure trans to ‘P then 
yields the equational /r-formula 



( K 


A' 


= A 


) \ 


K 


A 


= A1AA3 


) 


K 


Ai 


= {b)X2 


) 


K 


A2 


= tt 


) 


K 


^3 


= ia)X" 


) 


V K 


A" 


= X 


) y 



Here the variable X' can safely be eliminated since it does not occur in a 
right-hand side of some equation, and moreover, its semantics coincides with 
the semantics of X. Since now all blocks have the same parity the remaining 
equations can be joined into a single maximal equational block. Furthermore, 
after propagation of the right-hand side of X" the equation i/{X'' = X) may 
also be safely discarded. Thus we, finally, obtain the equational /i-formula 
= {vB) which consists of the single equational block 



/ A 


= Ai A A 3 \ 


Ai 


= {b)X2 


A 2 


= tt 


V ^3 


= {a)x y 



When the equational /x-formula T is clear from the context we abbreviate 
s e [.?=■] with s 1= A. Finally, given a process expression E we write 
if ^ A if the state labelled E in the underlying transition graph satisfies A. 
Both notations can also be extended to sets of variables. 
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It is straight-forward to define assertion-based semantics, as well as 
second-order semantics, also for (hierarchical) equational /x-formulas T . The 
interpretation of T relative to some assertion fl is then obtained by inter- 
preting each right-hand side of an equation in T relative to fl. The only 
difference is that instead of subformulas of a /x-formula assertions then as- 
sign subsets of V ar{T) \JRhs{T) to processes where Rhs{T) denotes the set 
of all right-hand sides of T . 

When proving the correctness of our model-checking algorithm we will 
restrict the type of allowed assertions even further to consistent assertions. 
We call a set of formulas A consistent if we have X G A iS <!> G A whenever 
X = ^ is an equation of T . An assertion fl is then called consistent if each 
A G im{fl) is consistent. 

This requirement can be interpreted as a “fixpoint” consistency, and al- 
lows to consider only assertions which assigns subsets of Var{T). Further- 
more, since assertions valid for the empty process, as well as assertions ob- 
tained from property transformer applications to consistent arguments, are 
always consistent the requirement is no restriction concerning our algorithm. 

In the remainder of this monograph we only consider a minimal equational 
block /xB. Maximal equational blocks are dealt with in a dual way and the 
extension to hierarchical equational /x-formulas is straightforward. 



4.4.2 The Model Checking Algorithm 

In this section, we present our model checking algorithm for pushdown pro- 
cesses which decides the alternation- free modal /x-calculus. It consists of three 
steps: 

1. Constructing a recursive function scheme with respect to the 

PDPA specification T> and the minimal equational block iiB of interest: 
The appropriate solution of this scheme, called the property transformer 
scheme (PT-scheme), will yield the property transformers for each frag- 
ment of the pushdown process with respect to the subformulas of B. 

2. Solving of the PT-scheme IIxi,b by component- wise computation of a 
property transformer for each fragment of the pushdown process: essen- 
tially, we proceed as in the finite-state case (cf. [CKS92]), except for 

— the domain for the iteration, which is second-order here, i.e. it consists 
of property transforming functions. 

— the handling of fragments. They are dealt with by applying the cur- 
rently valid approximation of their property transformers. 

The computation of the component property transformers (CPT) consists 
of two phases: the initialisation and the fixpoint computation. 

— The initialisation of the CPT’s depends on whether we process a min- 
imal or a maximal block: a CPT is initialised with the maximal trans- 
former in case X is defined in a maximal block and with the minimal 
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transformer otherwise. This reflects the fact that variables defined by 
a maximal block are initially assumed to be satisfied by all states and 
minimal block variables by none. 

— The overall flxpoint computation is done by standard flxpoint iteration. 
The evaluation of the right-hand sides during the flxpoint computation 
simply consists of functional composition and the application of the 
meet and join operations of the lattice of all CPT’s (cf. [BS92b]). 

3. Deciding the model-checking problem: Having the predicate transformers 
at hand, it can be checked whether the considered formula is a member of 
the set of formulas that results from applying the property transformer 
associated with the root fragment of the PDPA specification to the tuple 
of sets of formulas that are valid for a terminated state (cf. Corollary 
4.4.1). 

Constructing the PT-Scheme. The first step of the algorithm consists 
of constructing a system of equations for the property transformers of inter- 
est. The construction embodies both, the behavioural structure of the given 
pushdown process and the semantics of the given formula, respectively. Let 

V = {Q,Z,Act,£,qi, Zi) 

be a PDPA specification in 2-PDNF with n control states, i.e. \Q\ = n. 
Moreover, let 

fiB = /i(Ai = ^1, . . . , ^rri — ^m) 

be a closed minimal equational block with left-hand side variables 
X = {Xi I 

where Xi represents the property to be investigated. Arbitrary hierarchical 
equational /x-formulas are dealt with by a straightforward hierarchical exten- 
sion. 

To solve the model checking problem we are mainly interested in comput- 
ing the semantic property transformers 

■■ 2 -^, 

of simple fragments with respect to the variables of B. For the sake of clarity, 
we split such a property transformer into its component property transformers 
(CPT) 

(Z\i, . . . , An) I— >■ {XA.X G Z\) o S[g^z ] (^ij • • • I 2\„) 

where B is the Boolean lattice over {0, 1}, and XA.X G A : 2^ — >■ B denotes 
the predicate characterising the membership of X in the set of variables A 
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given as an argument. Note that the component property transformers 
for a given fragment [q, Z] are equivalent to S^g z]: as 

= U 

xex 

where 0x(O) = 0 and 9x{^) = {X}- 

Let now _L(„) denote the least CPT which maps every element of (2^)^ 
to 0, T („) the greatest CPT which maps every element of (2‘^)” to 1, and 
X(n) [-^ G j] be the predicate characterising whether X is a member of the 
j-th argument, i.e. 

— df 

T(n) =df 

X{n)[X G j] =df XAn-X e Aj 

Then the PT-scheme Uxi^b is built by means of the rules given in Figure 4.5. 



Property related equations 



X 


— T(„) 




£ nx>,B, 


if 


A 


= tt 


£ B 


X 


= T(„) 




£ nT>,B, 


if 


A 


= ff 


£ B 


X 

[<1,Z] 


^ %,Z] 




£ n-D,B, 


if 


A 


= A' 


£ B 


X 

[<1,Z] 


~ %,Z] ^^[q,Z] 




£ IIt>,b, 


if 


A 


= A'VA" 


£ B 


X 

[<1,Z] 


= <z]n<z] 




£ n-D,B, 


if 


A 


= A' A A" 


£ B 


X 

[<1,Z] 


= Gl { 1 [q, z\ 


A [q',!3]} 


£ nx>,B, 


if 


A 


= (a)A' 


£ B 


X 

[<1^Z] 


= n 1 [q,Z] 


A W,I3]} 


£ nT>,B, 


if 


A 


= HA' 


£ B 



Equations related to assertions 

"" X(n)[N G i] € IJt>,b 



Decomposition equations 

ifq,ZiZ 2 ] = ° ihqi,Z 2 ],- ■ ■ T[ 9 „,Z 2 ]) G if tfg^z^z^] occurs in some 

property related equation 



Table 4.5. The rules for constructing IIxi,b- 



According to the given construction rules the obtained PT-scheme consists 
of three parts: 

1. a set of PT-equations related to the property represented by the minimal 
equational block fj,B, 
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2. a set of PT-equations handling the assertions at the end states of frag- 
ments, and 

3. a set of PT-equations defining the property transformers of nonsimple 
fragments by applying the PDPA law A6. 

The equations constituting the second and third part of the PT-scheme 
can be seen as evaluation rules for the appropriate property transformers, 
while the fixpoint computation will mainly deal with the first part. Therefore, 
we assume in the remainder that the right-hand sides of assertion related 
equations, as well as decomposition equations, have been substituted for the 
appropriate left-hand sides occurring in the first part of the PT-scheme. The 
size of the obtained PT-scheme is then given by the product of the sizes of 
the PDPA specification T>, and the minimal equational block iJ,B. 

The Fixpoint Iteration. Due to the fact that we consider a minimal equa- 
tional block fj,B, we have to compute the minimal fixpoint of the constructed 
PT-scheme. This is done using a standard fixpoint algorithm as outlined in 
Figure 4.4. The central procedure compfix updates the component property 
transformers ifq z\ '^'^til consistency is reached. It uses the auxiliary func- 
tions rhs, which delivers the right-hand side term of a given PT-variable, 
and eval, which evaluates a PT-term with respect to a given valuation. After 
the fixpoint computation the algorithm completes by applying the computed 
property transformer associated with the root fragment [gi, Zi] to the n-tuple 
{A"^, . . . , Z\®) where each component A^ =df Sat{e, X) is the set of variables 
of B valid for the empty process. The overall model checking algorithm is 
then summarised by the procedure solve given in Figure 4.4. 

Correctness. The procedure solve consists of the construction of IIx>,b, 
the fixpoint computation accomplished by a call of compfix and a final 
computation of ). It always terminates, since the number of sim- 

ple fragments is finite and the procedure compfix is monotonic on the finite 
lattice (2‘^)" — >■ IB. Moreover, upon termination of compfix, a single ap- 
plication of suffices to decide whether the formula represented by Xi 

is valid for the overall system, i.e. at the start state of the process defined 
by the PDPA specification. This is a consequence of the following stronger 
property. 

Theorem 4.4.1 (Correctness of the Property Transformers). 

Let n-D.B be the PT-scheme obtained from a PDPA specification V and a 
closed minimal equational block piB. Moreover, let the algorithmic property 
transformer z] value of t^ eifts'e termination of the procedure 

compfix. Then we have, for any tuple of consistent assertions An, 
y X GX,qGQ,Z GZ. 

Proof. Let us first observe that with each family of property transformers 
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procedure compfix 
BEGIN 

/* Initialisation */ 

Let t be the vector of PT-variables which occur on a left-hand side 
in an equation of II'd,b- 

V .old — 0, V.new = [t !->■ i(„) ]; 

/* Fixpoint Computation */ 

WHILE V.new / V.old DO 
V.old ;= V.new, 

V.new = [t I— >■ eval(rhs(t), V.oZd) ]; 

OD 

END 

procedure solve(I>, jj.B) 

BEGIN 

Construction of the PT-scheme IId.b. 

compfix; 

Let value of after termination of the fixpoint computa- 

tion, and let Zi® =df Sat{s, X) be the set of variables of B which are valid for 
the empty process e. 

RETURN ); 

END 



Fig. 4.4. The algorithm for solving the model checking problem. 



and each n-tuple of sets of variables we may associate the m sets of 
pushdown processes 

{F, An) =df { [q, 7 ] I = true }, I < j < m. 

These sets can be interpreted as an approximation of the semantics of Xj 
with respect to the assertion that An holds for the terminating states in 
terms of the given family of property transformers F. 

If we consider in particular the family of semantic property transformers 
we thus obtain, for a given n-tuple of sets of variables An, the set of pushdown 
configurations which satisfy Xj under the assertion that each \qi , e] , for 1 < 
i < n, satisfies Ai. I.e. if we abbreviate the assertion [[gi,e] \= by 

and denote by the assertion-based semantics of fiB with respect to 

the assertion we have 

[q,-f] e P^AS,An) iff S^)^,^{An) = true iff [<?, 7 ] G 

The second property of P^^ we will need for the proof is its consistency 
with respect to the assertion f2n whenever 17„ is consistent. By this we mean 
the equivalence 
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^nSP''iF^^n)) = P^{F,An) (4.11) 

which follows from 

[qi,e] G iff X G Ai iff [qi,e] G P^{F,An), for all 1 < i < n, 

as well as the equivalence 

A„)) = P^{F, A„) (4.12) 

which holds whenever X = <? is an equation of B, and is a consequence of 
the consistency of D„. 

Henceforth An), . . . , P^”'{F, An)) is abbreviated by An). 

In order to prove the theorem it now suffices to show the following two claims: 

Claim 1: C for &\\ X G X ,q G Q, Z G Z and 

Claim 2: P^’^{T, A„) 3m P^’^{S, A„) for all consistent An, 

since the second claim implies all XGX,qGQ,ZGZ. 

Let now 

nD,B = = P(x,q,z))xex,qeQ,zez 

be the PT-scheme obtained from P and fxB by the construction given in 
Figure 4.5. 

Proof of Claim 1: We show that the family of semantic property trans- 
formers is a fixpoint of the PT-scheme, i.e. that = S, which proves 

z] E since T is the least fixpoint of n-D,B- Fix now some A„, and let 
V abbreviate the assertion-based semantics of fiB with respect to the asser- 
tion [qi, e] ^ Ai, for 1 < z < n. Moreover, let = F(^x,q,z) be an equation 
of F[t>,b, due to X = <1> being an equation of 13. The proof then proceeds by 
case analysis of 

Case 1: (p = tt. 

By construction of IIx> b we have F(x,q,z) = T(„). However, since we 
know that [q, Z] G |tt]v for any [q, Z], we also see that (An) always 
yields true, and thus z] ~ P («) ■ 

Case 2: (p — ff . 

By similar arguments as in the previous case we obtain that ^.^(An) 
is always false, and hence = -L(n)- 

Case 3: ^ = X'. 

In this case F(^x,q,z) = ^nd we thus have to show 

But this follows immediately from 

[q,Z] GlXjv iff [q,Z]GlX'jv 

as X = X' was the equation of B under consideration. 
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Case 4: <P = X' V X" . 

Then 'l/(x,q,z) is of the form zy Hence we have to prove 

qX _ qX' I I qX" 

^[q,Z] - ^[q,z] ^[q,Z] 

which can be seen as follows: 

*^[(3,2] “ true 

iff [g,Z]GlX]v 
iff [g,Z] G [X'VX'lv 
iff [g,Z]GlX'lvor[g,Z]GlX"lv 

iff or = true 

iff i^^'z] LJ S^'z])i^n) = true 
Case 5: <P = X' f\ X" . Analogous to A = A' V A". 

Case 6: <l> = (a) A'. 

Here we have 'l'(x,q,z) = U{ t^> /jj I [<7) Z] A [q', (3] }. It thus remains to 
show 

I [q,Z]^[q',/3]} 

This is proved by 

*^[( 3 , 2 ] “ true 

iff [g,Z]GlA]v 
iff [g,Z] G I(u)A']v 

iff ^[q',/3] [q,Z] 4 [q',(3] and [q',P] G |A']v 
iff ^[q',i 3 ] [q, Z] 4 [q',(3] and = true 

iff (Ll{ I [<7: 4 [q',f3] })(A„) = true 

Case 7: <? = [a]A'. Analogous to A = (a) A'. 

Proof of Claim 2: We fix again some n-tuple A„ and abbreviate the asser- 
tion [[( 7 i,e] \= where we assert at each of the end states [qi,e] the set 

of variables Ai by 17„. We show then that P^’^{T,An) is a fixpoint of the 
equational block B when B is interpreted wrt. T> under the assertion i.e. 
that 

^ ’"(T, An), 

This fixpoint property immediately implies our claim 

since P^"^{S, An) is the least fixpoint of B when we assert 17„. Let now 
A = ^ be some equation of B. The proof is then accomplished again by 
case analysis of To ease notation we abbreviate the valuation [Xm '— >■ 
P^-(T,4„)] by V. 
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Case — tt: 

= UGQ,7e^*}) 

= [by construction of IIxi,b we have 

(") bII q € Q, Z € Z] 

I = true} 

= [by equation (4.12)] 

P^{f,An) 

Case 2: <P — ff . This case is shown similar to the previous case. 

Case 3: <? = X': 

= 2t^'(P^'(T,Z„)) 

= I T[^'-y]iAn) = true}) 

= [by construction of IIx>,b we have 

T[lz]=T[^'z] forallgGg,ZGZ) 

I = true}) 

= [by equation (4.12)] 

P^{f,An) 

Case 4: = X' V X”: 

= (p^'(t, 4„)) U2(^''(p^''(r,4„))) 

= [by equation (4.11)] 

= I ^[^7](^«) = U 

{[9-7] I Tj^”](^«) = trae}) 

= I (Tj^;jUTj^;p(^„)=t^„e}) 

= [by construction of n-D,B we have 

'^[fz] = T^'z] LJ T^f'z] for all g G Q, Z G Z] 

2tC''^"({[9.7] I m,^{A^)=true} 
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= [by equation (4.12)] 

P^{f,A„) 

Case 5: = X' f\ X" . Analogous to A = A' V A". 

Case 6: <l> = (a) A': 

= I [^>7] ^ W,P\ and [q',0\ G [A'].^^^^ }) 

= I 3[g',/3] [q,j]-^[q',(3]a.nd 

[g',/3]G2t£(P^'(T,A„))}) 

= [by equation (4.11)] 

2tg^'({[(?,7] I hi] 4 hh] and [q',f3] G P^'(T,A„)}) 

= I ^[9'./5] [^>7] ^ k',/3] and Tj^,'^j(A„) = true}) 

= 2t^“f'({[<?,7] I (U{T[f/^] I [g,7]4[g',/3]})(A„)=t™e}) 

= [by construction of IIx>^b we have 

= U{ I [g, Z] 4 h, (3] } for all g G Q, ^ G 2] 

2tg^'({[<7,7] I T;^.^](A„)=t™e}) 

= 2tg^'(P^(T,A„)) 

= [by equation (4.12)] 

P^{f,Ah 

Case 7: = [a]A'. Analogous to A = (a) A'. 

The correctness of the algorithm is now an easy corollary. 

Corollary 4.4.1 (Correctness). 

The algorithm computes the set of all variables of B which are valid at the 
start state of the process defined by T>. 

h,Z,]^X ^ AGr[,„z7(A^) 

Proof. Since A® is a consistent assertion we have: 

[<71,4] 

iff A G S'[gi,zi] (A®) [by Theorem 4.3.2] 

iff A G (A^) [by Theorem 4.4.1] 

Complexity. Let us now consider the complexity of our algorithm. It turns 
out that the worst case time complexity of the model checking algorithm is 
quadratic in the size of the PDPA specification and exponential in the size 
of the formula as well as in the arity. 
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Theorem 4.4.2 (Complexity). 

Let T> = (Q,Z,Act,£,qi,Zi) be a PDPA specification in 2-PDNF and pB 
he a closed minimal equational block. If we measure the size of T> as the 
number of summands in all right-hand side expressions then the worst-case 
time complexity of solve is 

Proof. Let us first consider the time complexity for computing new approxi- 
mate values for property transformers defined by a decomposition equation 

“ ^[9,Zi] ° (^[?i .Z 2 ] i ; ^[gn.^2]) • 

In such a PT-equation the right-hand side can be evaluated by computing 
the new CPT argument-wise for each of the arguments An € (2‘^)". 

Fixing some input An, the argument vector fiq^^z2]{An)2=i and therefore 
the necessary functional composition can then be computed in 0{ \B\ * \Q \ ) 
and the evaluation of the at most \T>\ decomposition equations gives a time 
complexity of 

The next step of the algorithm determines a new approximation for the 
property transformers occurring in a property related equation. The most 
expensive right-hand side computations result from PT-equations related to 
an equation X = <1> where <P contains a modality. Now let X be such a variable 
and t^ = be the vector of PT-equations associated with X. Again we 
compute the new approximations for the CPT’s argument- wise. First note 
that the number of CPT’s occurring in is bounded by |2?| and that a 
join (respectively meet) of two CPT’s for a fixed argument can be performed 
in 0(1). Thus the computation of all joins (respectively meets) occurring in 
can be done in 0( \V\ ). Since IIxi.b can be partitioned into \B\ vectors 
of equations t^ = , this gives us an overall time complexity of 

0{\V\ * |B| *2l®l*l'5l) 
for the second step in the loop. 

Since each execution of the loop improves the approximation of at least 
one CPT (unless we have reached the fixed-point) and since the maximal 
chain length arising during the fixpoint computation of each of the at most 
\T>\ * \B\ CPT’s is less than 2l^l*l'5l, the overall worst-case time complexity 
for computing the fixpoint can be estimated by 

0( (IQI * \V\ * \B\ * 2l^l*l'3l -h \V\ * \B\ * 2l^l*l'3l) * \V\ * \B\ * 2^b\*\q\ ^ 
0(|Q|*|T>|2*|B|2*4l^l*l'3l). 

A closer analysis of the algorithm reveals that only CPT’s for variables which 
count as a weight are of interest, where the weight of B, written as w{B), is 
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the number of distinct variables that occur after a modality on the right-hand 
side in some equation of B. Thus we can reduce the factor \B\ to w{B), which 
is in general much smaller. 



4.4.3 A Working Example 

In this section we illustrate the presented model checking algorithm by means 
of an example. We take as the system to be model checked the context- 
free process from Figure 4.1 which is generated by the context-free process 
specification 

C = {A = aAB + b, B = b}, 

while the property we want to verify is given by the equational /x-formula 
of Example 4.4.1. 

The first step of the model checking algorithm consists of constructing by 
means of the rules given in Table 4.5 the equational scheme for the property 
transformers. The construction embodies the structure of the BPA specifica- 
tion C, as well as the structure of the equational formula In Figure 4.5 
we present the PT-scheme II obtained by this construction, together with C 
and 



C = 



A 

B 



aAB + b 
b 



/ 



n = 1^ 






— V 





- 




- 

— ''B 


Xi 

A 


= 


-Xi 

B 


= 


-X2 

A 


= T 


-X2 

B 


= T 


X3 

A 


II 


X3 

B 
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t 

t 



A 


= Ai A As 


Ai 


= (b)X 2 


A2 


= tt 


A3 


= {a)X 






X3 





B 



} 



Fig. 4.5. The BPA specification C, the equational /i-formula .Fip, and the PT- 
scheme n. 



By definition, the component property transformers which shall constitute 
the elements of our domain during the fixpoint computation are functions 
from 2^ to B where A = {X, Ai, A 2 , A 3 }. To ease notation we will denote 
the function which tests the membership of Aj simply by A^ itself. 




4.5 Expressiveness of the modal /i-calculus 111 



The computation which determines the greatest fixpoint of the PT-scheme 
n is then shown in Table 4.6. In the first step every property transformer 
is initialised with T, as we are processing a maximal equational block. Sub- 
sequently, in each iteration loop the values of the property transformers are 
updated according to the specified operations and the values obtained in the 
previous iteration. Since the values in the fourth and third iteration coincide 
we, finally, have reached the fixpoint. 
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Table 4.6. Fixpoint computation for the PT-scheme II. 



In the last step of our model checking algorithm we have to determine the 
set of variables which hold for the terminating state e. In the example given 
above only X 2 holds for e, since e cannot perform any action at all. Thus we 
obtain that the process A satisfies since t^({ X 2 }) yields true. 



4.5 Expressiveness of the modal ^-calculus 

The expressiveness of a temporal logic is usually evaluated by comparing the 
logic at hand with other already known temporal logics by means of properties 
expressible in one logic, but not in the other. For example, it is well-known 
that CTL (Computation Tree Logic) is strictly weaker than CTL*, which 
itself is subsumed by the modal y^-calculus. Despite the expressiveness of 
the modal y^-calculus it also has some deficiencies since it does not admit to 
express properties concerned with counting occurrences of events. 

To overcome this problem Bouajjani, Echahed, and Robbana [BER94] 
proposed an extension of CTL with Presburger arithmetic, called PCTL, al- 
lowing to express constraints on numbers of occurrences of events. Strikingly, 
for a large fragment of PCTL it can be proved that the satisfaction prob- 
lem is decidable. More importantly, PCTL allows to characterise processes 
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whose associated trace languages are nonregular. In particular, these lan- 
guages may even be context-sensitive. PCTL is therefore quite different from 
“traditional” propositional temporal logics which may express only regular 
properties definable by finite-state automata on infinite trees (cf. [Tho90]). 

In this section we propose a new viewpoint different from considerations 
concerned purely with satisfiability questions. Instead, we will investigate 
the structure of sets of processes satisfying a formula of a fixed logic. In 
particular, it will turn out that properties expressed in the modal /r-calculus 
characterise always regular sets of processes when interpreted on the class 
of pushdown processes. This is a consequence of the compositionality of the 
second-order semantics by means of an automata-based construction which 
will be presented in detail in the remainder of this section. 

We fix now a pushdown specification T> = (Q, Z, Act,£, qi, Zi) with |(5| = 
n, and an equational /r-formula T with variables X . By definition of the 
second-order semantics we may then associate with each fragment [q, 7 ] a 
property transformer S'[g,-y] : (2‘^)" — ^ 2^ . We are now interested in the set 
of fragments (or processes) which satisfy the formula represented by some 
variable Xi G X. More formally, given a state qk of the pushdown process 
system under consideration we want to characterise the set of stack contents 

{JGZ* \ [qk,j]^Xi}. (4.13) 

The key point to observe is that we may associate with qk and Xi a deter- 
ministic finite automaton 

= {Qa, s A, 0 A, Qa, Fa) 

which is defined by 



Qa 


= (2‘^)" 




Fa 


= Z 




0A{An,Z) 


= (%Z] 


(^n))Ll 


<lA 


II 




Fa 


= 1 


G Ak} 



That this automaton exactly characterises the set (4.13) is stated in the 
following proposition. 

Proposition 4.5.1. £ (M'^'“’^‘) = {j G Z* \ [qk,j] \= Ai} 

Proof. Let denote the transition relation in the automaton, and 
its extension to words over Z. The proposition is then a consequence of the 
stronger property 
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for all 1 < i < n 

iff (4.14) 

A„ 

which shows that a transition sequence Z\ . . .Z^ in the automaton corre- 
sponds to a sequence of property transformer applications associated with 
Zr ■ ■ .Z\. (4.14) will now be shown by induction on r. For r = 0 we have 
S'[g.^g](4„) = Ai, as well as Now assume the property holds for 

r. Then we conclude 

(*S'[5i,Zr+i...2i](^n))?=l = ^ ri 

iff [by compositionality of the second-order semantics] 

(%.Z.+ d((%.Z....Zd(^n))^=l))?=l = 

iff [by induction hypothesis and definition of 9j\\ 
iff 

Now it is easy to see that the proposition holds, as 

bfciff] h 

iff [by Theorem 4.3.2] 

G S[g,,^^{Sat{e,X))U 
iff [by (4.14)] 

{Sat{e, <T))(b;^ = q\ A'n and Xi G 

iff 7G£(^9*’’^0 

□ 



As an immediate consequence, we obtain the main theorem of this section. 
Theorem 4.5.1. The set of fragments satisfying a formula Xi is regular. 
Proof. By means of Proposition 4.5.1 we obtain 

n 

{[g,7] I [q,l]^Xi} = lj{fe,7] I 7G>C(A^-^0} 

k=l 

We close this section by computing the automaton for the example from 
Section 4.4.3. 

Example 4-5.1. In Table 4.6 we have shown the fixpoint iteration for the 
verification problem given by the context-free process C and the equational 
/i-formula iF,p, and in particular, the final semantic component property trans- 
formers. The associated automaton can now be constructed by starting with 
the initial state which in this case consists of the set { X 2 }, and following 
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transitions labelled with the nonterminals A ov B until no more states are 
added to the automaton. 

The ^-transition from the initial set { X2 } leads, for example, to the set 
{X,X2,X3,X4} as 



S^{{X2}) 


= X2G{X2} 


= true, 


Sf{{X2}) 


= X2&{X2} 


= true, 


s^H{X2 }) 


= T({X 2 }) 


= true. 


s^H{X2 }) 


= T({X 2 }) 


= true. 



Continuing in this way we, finally, obtain the automaton of Figure 4.6 where 
the initial state 1 represents { -^2 }, the state 2 represents { Xi, X2 }, and the 
state 3 represents { X, X2, X^, X4}, respectively. 




Fig. 4.6. The automaton for the context-free process C and the equational /i- 
formula .Fif. 



From the automaton we easily see that, for instance, any process AB* 
satisfies the property represented by X, as 

{ ^2 } X2,X3,Xi} and Xe{ X, X2, ^3,^4 }, 

whereas e.g. none of the processes B* satisfies X, since in this case we have 

{ X2 } ^{ Xi, X2 } and X ^ { Xi,X2 }. 
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5.1 Introduction 

In this chapter we present an elementary algorithm for deciding bisimulation 
equivalence between arbitrary context-free processes. This improves on the 
state of the art algorithm of Christensen, Hiittel and Stirling [CHS92] consi- 
sting of two semi-decision procedures running in parallel, which prohibits any 
complexity estimation. The point of our algorithm is the effective construction 
of a finite relation characterising all bisimulation equivalence classes, whose 
mere existence was exploited for the above mentioned decidability result. 

In Section 5.2 we introduce the bisimulation equivalence problem for 
context-free processes and fix some notations used throughout this chap- 
ter. Section 5.3 investigates the notion of separability, while in Section 5.4 
we present a new branching algorithm for normed context-free processes. By 
means of this algorithm we develop in Section 5.5 a bound on the number 
of transitions needed to separate two non-bisimilar normed BPA processes. 
Finally, Section 5.6 contains our new equivalence checking algorithm. 



5.2 The Bisimulation Equivalence Problem 

The question whether for any two given BPA systems 
C(i) = andC(2) = 

the roots are bisimilar, i.e. ~ x[^\ is called the bisimulation equivalence 
problem for context-free processes. However, taking the disjoint union of both 
BPA systems with variable renaming if required allows the reduction to the 
problem whether two sequences of nonterminals of a single BPA system are 
bisimulation equivalent. 

In the remainder of this chapter we assume that we have a guarded 
BPA system C = {y,Act,S,Xi) in AT-GNF, where the variables V = 
{ Xi , , Xn } are ordered by nondecreasing norm. Moreover, we divide the 
set of variables into two disjoint subsets 

Vn =df {X I A is normed } 

O. Burkart: Automatic Verification of Sequential Infinite-State Processes, LNCS 1354, pp. 115-149, 1997 
© Springer- Verlag Berlin Heidelberg 1997 
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and 



Vu =dt V \ VAT- 

Due to the right-cancellation rule for unnormed processes (Lemma 2.6.3) we 
restrict our attention to variable sequences 

a G r{V*) =df U V^Vu. 

Additionally, we write V{V~^) for V{V*) \ {e}, and we denote the maximal 
finite norm of all given variables by M . 

Finally, we assume that the given BPA system is normalised, i.e. if a is 
an unnormed right-hand side summand of some normed variable X, then a 
must be of the form aY . This additional assumption does not impose any 
restriction, since every guarded BPA system in AT-GNF can be normalised 
by means of the following transformation: 

If a./3 with /3 ^ V is an unnormed right-hand side summand of some 
normed variable X, replace f3 by some fresh variable Y and add the 
equation Y =af (3 to £. When there are no more normed variables 
which satisfy the previous condition transform the resulting BPA 
system again into iC-GNF. 

That the transformation will eventually terminate can be seen from the 
following observations. The equations of all normed variables are still gu- 
arded after the normalisation transformation, while all the newly created 
equations Y =df /3 define an unnormed variable with an unguarded right- 
hand side which has the form (3 = ZP' G V^V. Replacing now every Z 
by its defining (guarded) equation and applying the right distributive law 
{El + E 2 )F ^ E\F + E 2 F yields then again a BPA system in AT-GNF. 

5.3 Separability 

The development of this section is based on a fixpoint construction, which 
Milner [Mil89] proposed to characterise bisimulation of finitely branching 
transition systems in terms of sequences of approximations. The notion of 
separability is defined in terms of the complements of these approximations. 
Therefore it characterises the number of transitions needed to separate two 
non-bisimilar processes. This notion will play a crucial role when developing 
our equivalence checking algorithm in Section 5.6. 

Definition 5.3.1. Let R be a binary relation between processes. Then {p,q) 
G iF{R) iff, for each a G Act, 

1. p p' implies 3 q' . q q' A {p' , q') G R 

2. q q' implies 3 p'. p p' A {p' , q') G R 
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Intuitively, the relation R represents the current approximation for bisimula- 
tion, while the mapping T is used to compute the succeeding approximation, 
respectively. In [Mil89] the following properties of T are proved. 

Lemma 5.3.1. 

1. T is monotonic, i.e. if R\ C i ?2 then T{Ri) C T{R 2 ). 

2. R is a bisimulation iff RQ T{R). 

3. ^ = U I jF(i?)}. 

4-. If the labelled transition graph {V, Act, — >■) is finitely branching, then T 
is continuous on V x V. In this case we also have 

^ = Pi {r{v xv) I i > 0} 

Based on this iterative characterisation of bisimulation we define when two 
processes are said to be m-bisimilar. 

Definition 5.3.2 (m-Bisimilarity). 

Let p,q G V be two processes, p and q are said to be m-bisimilar, written 
P q, if {p, q) G T X V), for some m > 0. 

Considering the complements of these approximations leads immediately to 
the notion of separability. 

Definition 5.3.3 (Separability). 

Letp,q GV be two processes. We define the separability of p and q as 
Sep{p, q) =df sup{ m | p ~^ <? } + 1- 

If the separability of p and q is finite^, let us say m, then p and q are also 
called m-separable. 

The definitions given above can be illustrated in terms of an elegant game 
theoretic characterisation of bisimilarity [Sti93, NC94]. In this setting bisimu- 
lation is interpreted as a game between two persons. Player and Opponent, 
taking turns. Assuming that we have given two processes p and q, Player 
tries to prove the bisimilarity of p and q, while Opponent has the opposite 
intension. Opponent opens the game by choosing one of the processes to- 
gether with a transition to a successor state. In turn. Player is now obliged 
to choose a matching transition of the other process, and the game continues 
with the successor states of both processes. If, however, the process chosen 
by Opponent is terminating the counter-move of Player is valid and the game 
continues if and only if also the other process is terminating. 

Now we say that Player wins if the game continues forever and otherwise 
Opponent wins. Considered this way, p and q are bisimilar if Player has a 

Note that p ~ q implies Sep(p, q) = oo. 



1 
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winning strategy, i.e. he can win every possible game starting with p and q. 
Moreover, m-bisimilarity of p and q means Player can respond at least m 
rounds in every game for p and q, while m-separability of p and q denotes 
that Opponent can win every game for p and q in at most m moves. 

In contrast to bisimilarity, separability seems not to be very well elabo- 
rated. As a first step to overcome this problem, we present some new results 
concerning the separability of context-free processes. 

Most of the results were first developed in [Cau89] for simple grammars 
a proper subclass of context-free grammars. Simple grammars can be inter- 
preted as normed deterministic BPA systems, so it is surprising that these 
results also hold in the nondeterministic case. 

Lemma 5.3.2. If two processes p,q € V are m-separahle, then one of the 
following conditions hold. 

1. 3 a,p'. p p' such that 'i q' . q q' ^ p' /m-i q' ; or 

2. 3 a, cf . q q' such that \/ p' . p A- p' ^ p' /m-i q' ■ 

In the first case we call p A p' a separating transition for p and q, and in the 

latter case q —1 q' , respectively. Moreover, we have in both cases Sep{p',q') < 

m — 1. 

Proof. Suppose p and q are m-separable. Then by definition of separability we 
have, in particular, p ■/m q- The conditions stated in the lemma then follow 
from negation of m-bisimilarity, and Sep{p',q') < m — 1 holds by definition 
of separability. □ 

Iterative application of the above lemma to a non-bisimilar pair of processes 
p and q yields a separability-reducing transition track for p and q. 

Definition 5.3.4 (Transition Track). 

Let p '/'m q- A transition track for {p, q) is a pair of transition sequences 

, O-m-l a-m-2 Or O-Tn-2 Or \ 

[P = Pm Pm-1 ■■■—>'Pr, q = qm ■■■^qr), 

where 1 < r < m, and the property pi qi, for each r < i < m, holds. 

Figure 5.1 gives an illustration of a transition track for two non-bisimilar 
processes p, q. A transition track can be seen as separability-reducing since 
Pi T^i di implies Sep(pj, qf) < i and i is decreasing on the track. 

It turns out that computing the separability of two processes is as hard 
as determining all relevant approximations containing both processes. For 
some restricted cases, however, we can give bounds for the separability. To 
start with, when two processes differ in norm the separability is bounded by 
the smaller norm plus one. 

Lemma 5.3.3. If ||a|| < ||/3|| then Sep{a,P) < ||q;|| -I- 1. 
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P ■ Pm ■/•n 

I — 1 



9m — 9 

I — 1 



Pm-l •/’m-1 9m- 1 



/r 



Fig. 5.1. A transition track for p, q. 



Proof. Let a ^ e be a norm-reducing transition sequence. Then either (3 ^ 
and consequently 

Sep(a,/3) < |w| = ||o;||, 

or all (3' with j3 ^ (3' satisfy (3' ^ e due to ||a|| < ||/3||, from which we 
conclude e (3' and 

Sep(a,/3) < ||a|| -I- 1. 



□ 

Lemma 5.3.4. Let Sep{a,j3) = m + \ and a ^ a' with Iml < m. Then there 
exists some (3' such that (3 ^ f3' and Sep{a,(3) < |tc| -I- Sep{a' ,(3'). 

Proof. The lemma is proved by induction on |w|. For |rc| = 0 there is nothing 
to show. Now let 

Sep(a, /3) = m + 1 

and therefore in particular a (3. Moreover, assume a A a' ^ a” with 
|w| < m — 1. According to the definition of m-bisimilarity then there exists 
some (3' satisfying f) A- f3' and a' ~m-i A which implies 

Sep(of^A) >m = Sep(a,/3) — 1. 

The induction hypothesis now yields the existence of some B" such that 
/?' 4 /?" and 

Sep(of',A) < Iwl -I- Sep(a", /?"). 

Thus together we obtain as desired 

Sep(a,/3) < Sep(a',4) -I- 1 < 1 -I- |w| -I- Sep(a", /3"). 

□ 
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Note that in case of simple grammars (3' is uniquely determined, since 
each right-hand side of a variable is deterministic in the sense that for any 
A & V , and any a G Act there exists at most one (3 such that A ^ f3. For 
arbitrary context-free processes systems, however, not every (3' satisfies 

Sep(a,/3) < |w| -I- Sep(o;', /?'), 

as illustrated by the following example. 

Example 5.3.1. Let 

S = {A =df a, B =df b, C =df a + aAB, D =df a + aA}, 

be the set of equations of a guarded BPA specification and consider the two 
processes C and D whose transition graphs are shown in Figure 5.2. Fix 
C AB. Then for D e we have 

3 = Sep(C, D) > |a| -h Sep{AB, e) = I + I = 2. 

The f3' whose existence is guaranteed by Lemma 5.3.4 is, however, A since 
D ^ A and 

3 = Sep(C, D) < |a| -h Sep(AB, A) = 1 + 2 = 2,. 




Fig. 5.2. The transition graphs for C and D. 



Since sequencing of processes is the essential construction for context-free 
processes, we next investigate how separability behaves with respect to se- 
quential composition. 



Lemma 5.3.5. For all a,(3X,V G V* such that C ^ V, we have 

1. 1< Sep{a,f3) < Sep{aC,, Pr]) < Sep{a,P) + ||CII ^ Sep{C,a,riP), and 

2. min{ Sep{a, /3), Sep{P, C) } < Sep{a, C). 
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Proof. 

(1.): Note that the first inequality 1 < Sep(o;,/3) is a direct consequence 
of the definition of separability. If one of the separabilities occurring in the 
lemma is infinite, we distinguish the following cases: 

(a) If Sep(o;, (3) = CO then a ~ /3, and therefore also af ~ /3rj, as we assumed 
C ~ 77. Hence we conclude Sep{aC., Pr]) = 00 . 

(b) If Sep(o!C; Pv) = 00 then af ~ p-q. Since there is nothing to show if ||^|| is 
infinite we may assume that HCH is finite. This implies that ||q!|| and ||/3|| 
are either both infinite or both finite since, for example, the assumption 
||a|| is finite, and ||/3|| is infinite yields af ^ Pq ^ P and thus that ||o;CII 
must be infinite which contradicts our assumption about the finiteness 
of 1 1^1 1 . But, if ||q;|| and ||/3|| are both infinite we conclude from Lemma 
2.6.3 that a ~ /3, and if both norms are finite we similarly deduce by 
means of Lemma 2.6. 1(2.) that a ~ /3, and therefore Sep(o;,/3) = 00 . 

(c) If Sep{a,P) = 00 then by definition a ^ P, and hence also Ca ~ qP. 
Therefore Sep{f a, qP) = 00 . Finally, also from the assumption ||^|| is 
infinite we may deduce Ca ~ C ~ 77 ~ qP, and hence Sep(Ca, qP) = 00 . 

Henceforth, we prove that the inequalities also hold, when we suppose that 
all separabilities occurring in the lemma are finite. 



(a) Sep(a,/3) < Sep{a(, Pq) 

We first prove that 

CK ~m P implies af Pq (5-1) 

by induction on m. For m = 0 simply observe that af ~o Pv is always valid. 
Now assume (5.1) holds for m. Let a ~m+i P, and consider af A a'f for 
some action a and some a' . From m + 1-bisimilarity of a and P we deduce 
there exists some P' such that P A- P' and a' P' . However, this implies 
also Pq A P'q and by induction hypothesis a' f P'q- Since the dual case 

for Pq A P'q is shown analogously, we obtain aC, ^m+i Pv- To continue, let 
now Sep(o;,/3) = to -I- 1 and hence a P- By (5.1) thus af Pq which, 
finally, yields 

Sep(a, P) = m + 1 < Sep(aC, Pq). 



(b) Sep{aC,Pq) < Sep{a,P) -b ||CI| 

This inequality is shown by induction on Sep{a,P). For Sep(a,/3) = 1, we 
either have wlog. a = e and /3 yf e, which implies by Lemma 5.3.3 

SepiaC, Pq) < IICII + 1 = Sep(a,A -b ||CI|, 



or we have a, P e, which implies 
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Sep(aC,/3?7) = 1 = Sep(a,/3) < Sep(a,/3) + ||CI|- 

Now let Sep(a,/3) = m+ 1 and wlog. a A a' be a separating transition for 
a and /3. Furthermore assume that Sep(aC, Pij) = k + 1. Thus aC Prj and 
there exists some /3' with /3 A /3' and a'C ~fe-i P'r]- This yields 

Sep{aX, P'v) > = Sep(aC,/3?7) ~ 1- 

Since a A a' is separating, we conclude that Sep(a',/3') ^ which allows 
us to apply the induction hypothesis. Summarising we obtain 

Sep(aC,/3?7) < Sep(aA) /^A) + 1 

< Sep(a', A) + 1 + IICII 

< Sep(a,/3) + IICII- 



(c) Sep(a,A + IICII < Sep(Ca,??/3) 

Let Sep(Ca, ijP) = m, and Sep(a, /?) = r. In order to show the inequality 
we construct a separability-reducing transition track for (Ca, rjP) consisting 
of pairs (CiCt, ViP) such that the invariant Ci ~ rji holds by means of the 
following strategy. If the actual pair is of the form Qa 'pj ijiP let without loss 
of generality Qa A Q+ia be the separating transition^. Since by invariant 
Q ~ Vi ’'^6 can choose some rji+i such that rji A rji+i and ~ 77^+1 which 
yields rjiP A Vi+iP the matching transition. Moreover, as (la A (i+ia 
was separating we obtain Ci+ict Aj-i Vi+iP- Eventually, this will lead us in 
m — r > IICII steps to a qPr P- Thus together we obtain 

IICII + Sep(a,/3) < Sep(Ca,77/3). 

( 2 .):Assume without loss of generality that m -I- 1 = Sep(a,/3) < Sep(/3, A- 
Then a P C> &nd by transitivity also a C- Thus we obtain 
Sep(a,/3) < Sep(a, A- LI 

Example 5.3.2. That the fourth inequality of the previous Lemma 5.3.5. 1 

Sep(a,/3) -k IICII < Sep(Ca,T7/3) 

may be proper is demonstrated by the example 

a = a, P = b and (^ = a + aa + aP 

given by Caucal. In this case 

Sep(a, P) = 1, IICII = 1) but Sep(Co;, CP) = 3. 

Figure 5.3 shows the transition graphs for Co; and CP- In the example every 
initial transition is separating which demonstrates that a separating tran- 
sition needs not to be norm-reducing. In contrast, for simple grammars we 
always have equality since separating transitions are also norm-reducing. 

^ This transition needs not to be norm-reducing as in the case of simple grammars. 
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Fig. 5.3. The transition graphs for and QP. 



We close this section by extending the notion of separability to relations. 

Definition 5.3.5. Let R be a binary relation over processes. Then 

Sep{R) =it ini{ Sep{a, f3) \ {a,f3)GR}. 

Since we will be interested particularly in the least congruence of a given 
relation R the following lemma is important. 

Lemma 5.3.6. Let R be a binary relation on V*. Then we have, for all 
Sep{R U { (a, (3) }) < Sep{a' , (3') 

Proof. The one-step rewriting — can be extended to (F*)^ x (F*)^ by 

(a, P) — >■(a^ P') if a A P = P') or (a = a' A /3 — >■ P') 

Ft R R 

which allows us to define (a,P) /?') in the usual fashion. The lemma 

is then shown by induction on i. For i = 0 simply observe that 

Sep(i? U { (a, P) }) = min{ Sep(i?), Sep(a, /3) } < Sep(a, P). 

Now assume {a, P) , P") ^n{a' , P') such that wlog. a" ^na' and 

P” = P' . Then by induction hypothesis we have 

Sep(i?U { {a,P) }) < Sep(a",/3") = Sep(a",/3') 

and by definition 

Sep(i?) < Sep(of",a^). 

Summarising we obtain by means of Lemma 5. 3. 5(2.) 

Sep(i? U { {a, P) }) < min{ Sep(a', a"), Sep(a", P') } < Sep(a', P'). 

□ 
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5.4 Deciding Bisimilarity of Normed BPA 

In this section we present a branching algorithm for deciding bisimilarity 
of normed context-free processes. Thereby we improve on a similar tableau 
system presented in [HS91] in two respects: first we introduce an explicit 
SPLIT rule which replaces the “eliminating subtableau” construction and 
secondly, we use a depth- first, left-to-right derivation strategy together with 
variable reduction. Both techniques together reduce the exponentiality of the 
size of a tableau. The aim of the branching algorithm is not to improve on the 
polynomial time-complexity of [HJM94] , but to use it for giving a bound on 
the number of transitions needed to separate two non-bisimilar normed BPA 
processes. This bound was formerly shown for the restricted case of simple 
grammars in [Cau89]. 

Since our branching algorithm is tree-oriented, we start by presenting the 
necessary notations. Given a set M, an M -valued tree T is a map from the 
set of nodes N{T) C to M such that N{T) is prefix closed and satisfies 

uj G N{T) i < j. ui £ N{T). 

The branching algorithm will construct a tree where each node is labelled 
with an equation a = f3 for some a,(3 £ V* . Starting with the root each node 
is subsequently expanded in lexical order by using a rule which has the form 

C 

CKi — /?! . . . eXm — Pm, 

with side conditions C restricting the applicability. Intuitively, this rule ex- 
presses that the goal a ~ /3, the node under consideration, can be proved 
by verifying the subgoals a\ = Pi ... am = Pm constituting sons in 
the tree. During the construction of the tree we will extract a fundamental 
relation which is defined as follows. 

Definition 5.4.1. Let R be a binary relation over V*. 

— The domain of R is the set 

dom{R)=it{a \ aRP}, 
while the image of R is the set 
=df { /? I aRP}. 

— R is called fundamental, if it satisfies the following three conditions: 

1. dom{R) C V and im{R) C (P \ dom{R))* , 

2. R is functional.' if XRa and XRP then a = P, and 

3. R is norm-preserving.' if XRa then ||A|| = ||a||. 

It is easy to see that any fundamental relation R is confluent and noethe- 
rian. Thus any a possesses a unique normal form a } R. Moreover, if card 
denotes the cardinality of either sets or relations, we have card{R) < card{V) 
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due to property (1) and R being functional. This puts us in a position to give 
the details of our branching algorithm. 

Let BA be the recursive procedure which takes as input parameter a tuple 
(T, u, R) where T is a tree, u is a leaf node of the tree and R a fundamental 
relation, and returns either “failure” or a triple {T',u',R') of the same type 
as (T,u,R). Abbreviating {!,... ,n} by [n], the procedure Bk{T,u,R) is 
defined by means of the rules listed in Table 5.1 and the instructions given 
in Table 5.2. 



REDUCE 

a = P 

a X R = P R 



where a^aXRotP^PXR- 



SWAP 

XjP — kCiCx 
Xio = XjP 



where XjP, Xia are in normal form, 
and j > i. 



LCANCEL 

XjU = XiP 
a = ^P 



where Xia, XiP are in normal form, 
IIAioll = \\XiP\\, and 
3 w. |w| = l|Afi||, Xi ^ e and Xi ^ 7 . 



SPLIT 

Xia ^ XjP 
Xiy = Xj a = 7/3 



where Xia, XjP are in normal form, 
i < j, \\Xia\\ = \\XjP\\, a,Pj^e, and 
3 w. \w\ = \\Xi\\, Xi ^ e and Xj ^ 7 , 



UNFOLD 

Xia = Xj 

{ OiO = /3/(i) }■=! { Oso/a = Pj }*=i 



where Xia, Xj are in normal form, 
i<j,\\X,a\\ = \\Xj\\,Xi^iX„ 

Xi =df Yli=i aiOii,Xj =df Yl’^j=i bjPj, 
f :[k] — > [/], V i £ [k]. ai = 6/7), 
g:[l\ — > [A], V i € [1]. Ogo) = bj. 



Table 5.1. The Expansion Rules of the Branching Algorithm. 



There are two points worth mentioning here. First, even though there 
is at most one rule applicable during the execution of the procedure the 
algorithm is still nondeterministic, since we have, for example, to guess the 
right functions / and g for every application of the UNFOLD rule. Thus there 
may be many execution sequences of BA, which we call runs of BA in the 
sequel. 
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Let T{u) be labelled hy a = p. 

1. If no rule is applicable then 

— If a,/3 = e 

then if u has a successor v in the lexical order 

— then continue with BA(T, v, R) 

— else stop successfully with (T, u, R). 

— Otherwise stop with “failure”. 

2. Else apply the unique applicable rule r to u. Let ei, . . . , 6m be the consequents 
of the rule application, T' — T U { (ui, d) \ 1 < i < m } and u' = ul. If r is 
the UNFOLD rule 

— then continue with BA(T', «',{ (X, 4, { (Xj, Xio) }) | Xi?/3 }u{ (Xj, Xio) }) 

— else continue with BA{T',u',R). 



Table 5.2. The Instructions of the Branching Algorithm. 



Secondly, we have used a less restrictive LCANCEL rule compared to the 
usual definition: 



, Xia = X,(3 

tpamcft' ^ 


where Xia,Xi(3 are in normal form, and 


a = (3 


ll^*a|| = ||X,/3|| 



since in our version we do not require that 7 must equal e. The reason for 
this relaxation is that we want later on to bound the separability of X^a and 
Xif3 as formally stated in Lemma 5.5.2. 

To determine now whether a ~ /3, we start the branching algorithm with 

BA({ (e,a = (3) },e,0), 



i.e. we start at the root of the tree T which has only a single node a = (3 a,t the 
root, and our fundamental relation R is initially empty. Before proving the 
soundness, completeness and termination of the algorithm, we summarise 
some basic facts about rule applications. Let henceforth ||a,/3|| abbreviate 
min{ ||a||, ||/3|| }. 



Lemma 5.4.1. Concerning the minimal norm of left and right-hand sides 
of equations occurring as premises in rule applications, the REDUCE and the 
SWAP rule are norm-preserving, while the LCANCEL and the SPLIT rule are 
strictly norm-reducing, i.e. 



REDUCE : 
SWAP: 
LCANCEL : 
SPLIT : 



\\a,(3\\ 

\\X,/3,X,a\\ 

\\X,a,Xi(3\\ 

\\X,a,Xjf3\\ 



= ||q; 4, i?, /? 4, i?|| 

= \\Xia,X,P\\ 

> l|a.7/3|| 

> max{ ||Xi 7 ,Xj||, ||a, 7 / 3 || } 
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Proof. The equality for the REDUCE rule follows from the norm-preserving 
property of R, while the other equations are a direct consequence of the 
definitions. □ 

Proposition 5.4.1. Each run for a = (3 is finite. 

Proof Consider the sequence {Ti,Ui, Ri)i>o of successive call parameters of 
BA with Tq = { (e, (a,/3)) },mo = e and Rq = 0. By induction on i we show 
that each Ri is a fundamental relation. For the base case observe that i?o = 0 
is clearly fundamental. Now let {Tk,Uk, Rk) be the current call parameter of 
BA where we assume that Rk is fundamental. Suppose the UNFOLD rule is 
applied to Uk and thus 

Rk+i = {{X,f3i{{Xj,Xia)}) I XRkf3}U{{Xj,X,a)}, 
since otherwise Rk+i = Rk is obviously fundamental. First we deduce that 
Xia G {V \ dom{Rk))* 

from Xia f Rk = Xia, and that Xj does not occur in Xia from ||Aiia|| = 
||Xj||, respectively. Overall, this yields 

Xia G (C \ dom{Rk+i))* ■ 

Hence, by induction hypothesis we have 

dom{Rk+i) = dom{Rk) U {Xj} C V, and 
im{Rk+i) = {(3 i {{Xj,X,,a)} \ XRk(3}U {Xia} 

C {V \ dom{Rk+i))* 

Second, Rk+i is functional since Xj ^ dom{Rk) due to Xj } Rk = Xj, and 
as by induction hypothesis Rk is functional. Third, the precondition of the 
UNFOLD rule assures that ||^ia|| = Together with the norm-preserving 

property of Rk following from induction hypothesis this, finally, yields that 
also Rk+i is norm-preserving. Summarising, we see that each Rk occurring 
during a run of BA is fundamental. 

Now let T be the tree constructed by a run of BA. Then the sequence of 
rules applied to the nodes occurring on a path in the tree are a word of the 
regular language represented by the BNF-expression: 

( [REDUCE] LCANCEL | 

[REDUCE] [SWAP] (SPLIT | UNFOLD) )* 

Since each Ri is fundamental, we have at most card{V) — 1 many UNFOLD 
applications. Considering ||q;,/ 3|| for each node label a = /?, we deduce from 
Lemma 5.4.1 that every path in T has finite length. Since also every rule 
application has finitely many consequents only, we obtain by Kbnig’s Lemma 
that T must be finite. □ 
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It is also possible to show the slightly stronger result that the length of 
each path is not only finite, but also bounded. This implies that the number 
of runs for a = /3 is also finite which is needed for the decidability of the 
bisimulation equivalence problem by means of BA. However, since we will 
only concentrate on developing a bound for separability it is sufficient for this 
purpose to show the soundness and completeness of the branching algorithm. 

Proposition 5.4.2. The branching algorithm is sound and complete, i.e. we 
have a ^ (3 iff there exists a successful run for a = (3. 

Proof. Assume a ~ /?. Then we build a tree for a = f3 in such a way that for 
each node labelled with C = r; we have C ~ 77. It is important to note that we 
can always apply one of the rules to such a node whenever C ~ 

If we have now to apply the LC ANGEL rule to a node of the form = 
Xif3, let 7 = e and thus Xi — >■ f3. From Lemma 2. 6. 1(1.) it easily follows 
that the consequents resulting from such an application are bisimilar if the 
antecedent is. Obviously the same holds for any application of the SWAP rule. 
If we have to apply the SPLIT rule choose 7 as given by the splitting Lemma 
2.6.2, and in the case of an UNFOLD application simply choose the matching 
transitions which must exist due to the definition of bisimulation. This way 
only bisimilar pairs are added to R during an UNFOLD application. Then the 
congruence property of bisimulation wrt. sequential composition yields the 
correctness of the REDUCE rule. By Proposition 5.4.1 this construction must 
terminate, and from instruction (1) of the branching algorithm we see that 
all resulting terminals are of the form e = e. Hence, the branching algorithm 
is complete. 

Let now (T, u, R) be the value returned by BA. Then we prove soundness by 
showing that 

S =df { (a, /3) I a = /3 is a node labelling in the tree T } 

is a self-bisimulation, i.e. that a =s (3 whenever {a, (3) G S. 

First, we deal with the easiest case, i.e. the UNFOLD rule is applied to 
C = rj. This guarantees that for each C — >■ C' we have rj ^ ff for some ff such 
that (C^ uO G '5' &nd symmetrically, for each 77 — >■ 77' we have f ^ for some 
such that ,ff) G S, as desired. 

The remaining cases are now proved by induction on the depth of subtrees. 
For leaves (e = e) nothing needs to be shown. Thus assume C = 77 is an inner 
node. 

If C = ?7 is the premise of a SWAP application the self-bisimulation condition 
follows by induction hypothesis from the self-bisimulation property of (77, C). 

Second, if the SPLIT rule is applied to ^ C must be of the form 

Xia, while 77 must have the form Xj(3. Then let = Xj and a = 7/? 
be the consequents. Now consider A^a A a' a which implies A^q A aff. 
Then we know that Xj A (3' for some (3' such that by induction hypothesis 
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a'7 f 3 ' . This yields Xj !3 A f 3 '/ 3 , and observing that {a, 7/?) £ S we obtain 

a' a ££g -f-lg ( 3 ' [ 3 . The symmetric case is shown in a similar way. 

Third, since T is the result of a successful run of BA, in case of an LCANCEL 
application to Xia = Xif 3 , it is easy to prove by considering the norm that the 
consequent must he a = / 3 . Thus by induction hypothesis we know a e£g ( 3 , 
and the self-bisimulation condition easily follows from 70; Og 7/? for all 7 
with Xi A 7. 

Fourth, in the remaining case of a REDUCE application to X^a = Xj( 3 , 
the self-bisimulation condition is a consequence of the induction hypothesis 
Xia i R =s Xjf 3 i R and the following claim, as by Lemma 2 . 6.5 =s is a 
transitive relation and we therefore have 

XiCx =g X^ct 4, R =g Xjf 3 4, R =s Xjf 3 . 

Now let 

U =df { (Xj,Xia) I Xia = Xj is an UNFOLD node labelling 

in the tree T } 

Claim : For any a,P £ V* we have that 
a A[7 P implies a =$ P- 

Proof. The claim is shown by induction on the number of rewrite steps from 
a to p. For n = 0 we have a = P and there is nothing to show. Now let the 
claim hold for n rewrite steps, and consider the n + 1 derivation 

a = aiXa2 — air/a2 — ^1/ P 

When ai = e we use the fact that X =g 77 since r] = X is the labelling of an 
UNFOLD node in the tree T to obtain by induction hypothesis 



a = Xa2 —s 1^2 —s P 

If, however, yf e let a\Xa2 A C,Xa2 for some f. But then we have 
similarly ai?7a2 A frja2 and, moreover, C,Xa2 ^*g C,rja2 since t/ C S'. As 
the case airja2 A frja2 for some f is shown analogously we conclude again 
by induction hypothesis 



a — aiXa2 —s 0170^2 —s P 



□ 

Since each rewrite step a^nP corresponds by construction of R to some 
rewrite sequence a^fj P we may thus conclude Xia =s Xia f R, for any 
process Xia £ V^. 

Overall, this shows that the branching algorithm is sound and complete. □ 
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5.5 A Bound for Separability 

In this section we develop a bound for the separability of two non-bisimilar 
normed BPA processes from the branching algorithm presented in the pre- 
vious section. To start with we give a bound for the separability of two 
processes occurring in a node which cannot be further expanded. 

Lemma 5.5.1. If no rule is applicable to an equation Xia = Xj/3, we have 

Sep{X,a,Xj(3) < \\X,a,Xjf3\\ + 1. 

Proof. Since none of the rules REDUCE and SWAP is applicable, we conclude 
that Xia as well as Xjf) are in normal form, and that i < j. Thus either the 
left and right-hand side of the equation have different norms and the inequa- 
lity follows from Lemma 5.3.3, or we have ||Aia|| = ||Aj/3||. As LCANCEL is 
also not applicable we deduce i < j, and must further distinguish between 
min{ |Alia|, \XjP\ } = 1 and min{ |AiO;|, \Xj/3\ } > 1. The non-applicability 
of the UNFOLD rule guarantees in the first case Sep{Xia, XjP) = 1, while the 
non-applicability of the SPLIT rule implies in the latter case 

Sep{X,a,Xjf3) < HAiH -P 1 < ||Xia|| -P 1. 

□ 

Now we successively relate the separabilities of premise and consequents 
for SWAP, LCANCEL, and SPLIT rule applications. As the result we will obtain 
that if a = /3 is the premise there exists some rule application such that for 
any consequent f = rj the following holds. 

Sep(a,/3) < Sep(C,u) + l|a./3|| - IIC,ull (5-2) 

It is worth to remark that the restriction that only for some rule application 
the inequality is guaranteed to hold is due to the nondeterminism of context- 
free processes. In contrast, for the deterministic variant of simple grammars it 
is known that any rule application of LCANCEL and SPLIT satisfies Inequality 

5.2. 

Remark 5.5.1. For any SWAP application to Xj(3 = Xia we obviously have: 

Sep(A,/?, A,a) < Sep(A,a, A,-/3) + ||A,/?, A,a|| - ||Aia, A,/3||. 

Lemma 5.5.2. If the LCANCEL rule is applicable to Xia = Xi(3 then there 
exists an application such that for the consequent a = ^(3 we have: 

Sep{X^a,XiP) < Sep{a,jP) + \ \Xia,XiP\ \ - ||a,7/3|| 

Proof. Let Xia ^ a with |w| = ||Ari||. Due to Lemma 5.3.4 there exists some 
7 with XiP ^ 7 /? and 

Sep(Aia, Ai/3) < |t(;| -P Sep(a, 7/3). 
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Thus we obtain: 

Sep(Xi«, Xj/3) 

< Iml + Sep(a, 7/3) 

= Sep(a,7/3) + ||A:,|| + ||a,/3|| - ||a,/3|| 

= Sep(o;,7/3) + ||A:iQ;,Xi/3|| - ||a,7/3|| 

□ 

Lemma 5.5.3. If the SPLIT rule is applicable to Xia = Xjj3 then there 
exists an application such that for every consequent C. = rj we have: 

Sep{X^a,Xjj3) < Sep{C,v) + \ \X^a,Xj/3\ \ - ||C,??||- 

Proof. By precondition of the SPLIT rule we know ||Aria|| = ||Arj/3||, and that 
Xi e \s & norm-reducing transition sequence. Since Xj 7 does not need 
to be also norm-reducing, we obtain for every application of the SPLIT rule 

||a|| = \\Xia\\ - ||X,|| = \\XjP\\ - |w| < ||7/3||, and 
||X,|| = \\X,(3\\ - 11/311 < ||X,a|| + II 7 II - ||a|| = H^all, 
from which the following two equalities can be deduced. 

\\X,a,XjP\\ = ||X,a|| = ||X,|| + ||a|| = ||X,|| + ||a,7/3||, (5.3) 

and 

\\X,a,X,p\\ = \\X,P\\ = ||X, II + 11/311 = 11/311 + \\Xa,X^\\ (5.4) 

In case that now Iml -P 1 < Sep(A/ia, Xj(3) we apply Lemma 5.3.4. Observing 
that Xia a is also a norm-reducing transition sequence we obtain that 
there exists some 7 such that Xjf3 —> 7/3 and 

Sep{Xia,XjP) < |w| -P Sep(o;,7/3) = ||A/j|| -P Sep(o;,7/3). (5.5) 

If on the other side licl -P I > Sep{Xia,XjP) then equation (5.5) follows 
trivially. 

Fixing this 7, the lemma follows now for the consequent a = 7/3 from 



Sep(XiQf, XjP) 

< ||Xj|| -P Sep(a,7/3) [by (5.5)] 

= Sep(a, 7/3) + \ \X,a, XjP \ | - | |a, 7/3| | [by (5.3)] 

while for the consequent Xi^ = Xj it follows from the inequality 
Sep(Xja, XjP) 

< ||Xj|| -P Sep(a,7/3) [by (5.5)] (5.6) 

< Sep{Xia, Xijfl) [by Lemma 5.3.5(f)] 
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by means of 



Sep(Xja, Xjf}) 

= min{ Sep(Xi7/3, Sep(X*a, Xj(3) } 

< Sep(Xi7/3, Xjj3) 

< Sep(Xi7,Xj) + II/3II 

= Sep(X,7,X,) + \\X,a,Xjl3\\ - \\Xa,Xj\\ 



[by (5.6)] 
[by Lemma 5. 3. 5(2)] 
[by Lemma 5. 3. 5(1)] 
[by (5.4)] 



□ 



Now let a '/• p. Although by soundness of the branching algorithm every run 
of BA for a = /3 is unsuccessful, and therefore also every tree constructed 
during a run, we are merely interested in the particular tree T with root 
a = P which satisfies the following two assumptions: 



U-assumption: every consequent C = ry of an UNFOLD application to 

XiOt = Xj in T satisfies Sep(AiO, Xj) < l+Sep(C, rp, 
and 

SLS-assumption: every SWAP, LCANCEL, and SPLIT application in T 

satisfies the Inequality 5.2. 



While the first assumption can be guaranteed by Lemma 5.3.4, the exi- 
stence of appropriate LCANCEL, and SPLIT applications is stated in the related 
Lemmata 5.5.2, and 5.5.3, respectively. Finally, Remark 5.5.1 deals with SWAP 
applications. 

Henceforth, we order the nodes of T by the usual lexical ordering <iex 
(depth-first, left-to-right traversal of the tree), split N{T) into the set of nodes 
Nu{T) whose labels have been expanded by the UNFOLD rule, and abbreviate 
N{T) \ Njj{T) by No{T). To shorten notation we omit references to T in the 
sequel. Moreover, we order Njj = { ui, . . . , rtp } with p < n = card{V) such 
that Ui <iex Wi+i. For any u € N, let now 

Lu =dt {n & Nu \ ri<iexu}, and 

Du =dt {uv & N \ \/w e. w is a, proper prefix of v, uw ^ Njj } 

Intuitively, denotes the subtree of T rooted at u where subtrees below 
nodes uv £ Nu,v yf e are cut off. In particular, this means that if e G Njj 
the set of tree nodes can be decomposed as 

N = U { \ } I * € W } { e } 

Writing 

m 

M =dt uiax{ 1 [tti 1 1 1 A =df ^ £ S} 

i=l 
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for the greatest norm of a variable sequence occurring in a right-hand side 
summand, the next two lemmata state properties about the separability of 
processes occurring as labels of nodes contained in 

Lemma 5.5.4. Vu G Nq, Vu G 

-||T(u)||<||T(u)|| 

- 5ep(T(L„) U { T{u) }) < Sep{T{v)) + \\T{u) \ \ - \\T{v) \ \ 

Proof. Both parts will be shown by induction on |u| — |tt|. If |w| = 1^1 we simply 
conclude u = v and the lemma is trivially true. Now let for the induction 
step 



M —>■ Wi = u 

be a path in the tree. Then the first part follows from the induction hypothesis 
and Lemma 5.4.1: 

||T(u)||>||rK_r)||>||rK)||. 

For the second part we distinguish whether u„_i was expanded by the REDUCE 
rule or one of the rules SWAP, LCANCEL or SPLIT. In the latter case we conclude 
as follows: 



Sep(T(L„) U { T{u) }) 

< [by induction hypothesis] 

Sep(TK_i)) + ||r(M)||-||T(r;„_i)|| 

< [by SLS-assumption] 

Sep(TK)) + ||TK_i)|| - ||rK)|| + ||r(w)|| - ||rK_i)|| 

= Sep(T(u)) + ||T(u)||-||T(u)||. 

If, however, Vn-i was expanded by the REDUCE rule, observe that | |T(un_i)|| = 
||T(w„)|| since reduction with respect to R preserves the norm. We distinguish 
two cases: 

Case 1:: min{ Sep(T(L„)), Sep(T(w„_i)) } = Sep(T(u„_i)) 

From Lemma 5.3.6, we obtain 

Sep(T(u„_i)) = Sep(T(L„) U { T(u„_i) }) < Sep(T(u„)), 

while Lemma 5.4.1 yields ||r(u„_i)|| = ||r(u„)||. Thus we can conclude as 
above. 

Case 2:: min{ Sep(T(L„)), Sep(T(v„_i)) } = Sep(T(L„)) 

In this case we have 
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Sep(T(L„) U { T{u) }) 

= min{Sep(T(L„)),Sep(T(M))} 

< Sep(T(L„)) 

= Sep(T(L„)U{TK_i)}) 

< Sep(T(w„)) 

< Sep(TK)) + ||T(u)||-||TK)|| 

= Sep(T(z;)) + ||T(u)||-||T(v)|| 

Lemma 5.5.5. Vu G Nu, Vw G \ { m 

- i™il<-^ 

- Sep{T{Lu)) < Sep{T{v))+M + 1 - ||r(u)|| 

Proof. Let u be labelled hy XiU = Xj, and 

UNFOLD 

U —I Wl = LI 

be a path in the tree such that Vi G Du, for all 1 < i < n. Since the UNFOLD 
rule was applied to u we have Xj — i 7 implies || 7 || < A4, for any a G Act, 
and hence we deduce ||T(r;i)|| < M. Moreover, we have by assumption about 
the UNFOLD rule 

Sep(T(L„)) 

= min{Sep(T(L„\{M})),Sep(T(M))} 

< Sep(T(u)) 

< 1 + Sep(T(?;i)). 

We proceed by case analysis. 

Case 1: vi G Nu 

The definition of Du implies that v = vi. Thus ||T(ti)|| < Ai, as well as 



[by definition] 

[by assumption] 
[by Lemma 5.3.6] 
[by the first part] 



} 



Sep(T(L„)) 

< Sep(T(ui)) + 1 [by (5.7)] 

< Sep(T(ui)) + 1 + A4 — ||r(ui)|| [by the first part] 

Case 2: vi ^ Njj 

In this case Lemma 5. 5. 4(1) yields: ||T(w)|| < l|2^(i'i)ll < A4. Moreover, we 
have by definition of Du, and thus 
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Sep(T(L„)) 




< 


min{ Sep(T(L^J), 1 + Sep(T(Mi)) } 


[by (5.7)1 


< 


Sep(T(L,JU{T(Mi)}) + l 




< 


Sep(T(M)) + l + ||r(Mi)||-||T(M)|| 


[by Lemma 5. 5. 4(2)] 


< 


Sep(T(M)) + l + 7W- ||T(m)|| 


[by the first part] 



Lemma 5.5.6. Whenever the root a = (3 of the tree is expanded by the 
UNFOLD rule, i.e. T(e) G Njj, we have, for every v € N \ {e}: 

Sep{a, (3) < Sep{T{v)) + (n — l)M + 1 — | |r(w) 1 1 

Proof Recall that the set of tree nodes can be decomposed as 

N\{e}= I *G[P]} 

The lemma is then proved by showing, for any v G \ { Mi }: 

Sep(a, /3) < Sep(T(M)) + iM + 1 - \ \T{v) \ \ 
by induction on i. For i = 1 and v G \ { mi } Lemma 5.5.5 yields 

Sep(a,/3) = Sep(T(Mi)) = Sep{T{LuJ) 

< Sep{T{v)) + M + 1 - \\T{v)\\. 

In order to show the induction step let now v G \ { Mi+i }. Now either 

Sep(T(Mi)) 

= Sep(T(L„,^J) 

< [by Lemma 5. 5. 5(2)] 

Sep(T(M)) + 7W + l- ||T(m)|| 

< Sep(T(M)) + (i+l)7W + l- ||r(M)|| 

or Sep(T(L„.^J) = Sep(T(Mj)), for some 1 < J < i + 1, with Uj G Duj-i 
from which we, finally, conclude: 

Sep(o;, (3) 

< [by induction hypothesis] 

Sep(T(M,)) + (j-l)M + l-llT(M,)ll 

< [by Lemma 5. 5. 5(2)] 

Sep(T(u)) + M + 1- 1 ]T(m) II + (j - 1 )M + 1 - I |T(m,) 1 1 

< Sep(T(M))+jM + l-||T(M)|| 

< Sep(T(M)) + (i+l)7W + l- ||T( m)|| 



□ 
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Finally, we obtain the main theorem of this section. 

Theorem 5.5.1 (Bounded Separability Theorem). 

Let a,/3 gV* be normed. If a is not bisimilar to j3, then Sep{a,(3) < Ba, 0 , 
where 



B 



ot-,0 — 



||a,/3|| + 1 if ||a|| ^ ||/3||, and 

{n - 1)M + I + \\a, P\\ z/ ||a|| = ||/3||. 



Proof. Let a (3, and T be an unsuccessful tree satisfying the U- and SLS- 
assumption. If ||a|| ^ ||/3||, we conclude by Lemma 5.3.3 that 



Sep(a,/3) < ||q;,/3|| + 1 = Ba^p- 

Now suppose ||a|| = ||/3||. The theorem is then proved by induction on ||a,/3||. 
For the base case assume ||o;,/3|| = 1, and let 2 : be the last node of the tree 
construction which could not be further expanded. By Lemma 5.5.1 we then 
know 



Sep(r(z))< ||r( 2 )|| + l. (5.8) 

If z = e, we immediately get 

Sep(a,/3) < 1 + ||a,/3|| < Ba,^. 

Otherwise we have to distinguish which rule has been applied to a = (3. It is 
easy to see that the REDUCE rule is not applicable to a = (3 due to i?o = 0- The 
same applies for the LCANCEL rule, since ||a;,/3|| = 1 would imply that a, (3 
are identical to some Xi yielding a contradiction to the assumption a f3. 
If the root was expanded by the UNFOLD rule, we obtain: 



Sep(o;, (3) 

< (n — 1)AI + 1 + Sep(T(z)) — ||r(z)|| [by Lemma 5.5.6] 

< (n — l)M + 1 + 1 [by (5.8)] 

= (n — 1)M + 1 + I [a, /3| I [by assumption] 

= Ba,f} 

Moreover, in case of a SWAP rule application, we have Sep(o;,/3) = Sep(/3,a). 
Thus we can conclude for the consequent as in the former cases. 

For the induction step assume ] ]a, /3] ] = z + 1, and that the theorem holds 
for all C / U with ] ]C) ull < * + 1- Then the REDUCE rule is still not applicable 
to the root. In case of an UNFOLD expansion we apply Lemma 5.5.6 again, and 
for a SWAP rule application the arguments for the base case apply. Let now 
the root be of the form Xia' = Xif3' such that the LCANCEL rule is applied 
to it yielding the consequent a' = 7 /?'. Then 
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Sep(o;,/3) = Se]^{Xia' ,Xif3') 



< 


11 ^. 1 


1 -k Sep (o', 7 / 3 ') 


[by SLS-assumption] 


< 


11^*1 


1 “k Bo,f^>y^/ 


[by induction hypothesis] 


< 


11^*1 


-k (n - l)M -k 1 -k a', 7 / 3 ' 




= 


(n — 


l)Ai -k 1 -k 1 \Xia' , Ai/3'l 1 




= 









Finally, we consider a SPLIT rule application to a root of the form Xia' = 
Xj(3'. Since by Lemma 5.4.1 \\Xia' ,Xj(i'\\ > ||C,??|| holds for every conse- 
quent = rj we may apply the induction hypothesis to obtain 



Sep(a,/3) = Sep{X ia' , Xjf3') 

< Sep(C, 7 ?) -I- llATiO;', Aij/3'll — ||(^, 77 II [by SLS-assumption] 

< + \\Xia' ,XjP'\\ — \\(,rj\\ [by induction hypothesis] 

< Ba,i3- 

This completes the proof. □ 

To emphasise that the bound is valid for processes a, [3 defined with res- 
pect to a BPA system C we will write B'^ 

In the next section we will apply this theorem to a slightly larger class 
of processes, namely BPA^. The constant symbol 5 represents deadlock, i.e. 
a process which cannot proceed. Its behaviour is captured by the axioms 
E + S = E and SE = 6. A BPA 5 system is normed, if each variable X is either 
normed in the usual sense or X deadlocks after finitely many steps. It is easy 
to extend the proofs given in this section in order to cope with normed BPA^ 
systems, which allows us to apply the bound given above. This technical but 
straightforward variant is important for the proof of Proposition 5.6.2. 



5.6 The Algorithm 

In this section we present our three step algorithm for deciding bisimilarity 
of context-free processes. The first two steps are required for the construc- 
tion of a bisimulation base B. Bisimulation bases characterise bisimulation 
equivalence as the least congruence w.r.t. sequential composition containing 
B. This can be exploited for a branching algorithm, which completes the de- 
cision procedure in a third step. We will concentrate on the first step here, as 
the second step can be obtained by combining results from [CHS92, HJM94], 
and the third step is rather straightforward. 

We start by sketching the second step, which also serves as a good motiva- 
tion for the subsequently presented first step of our algorithm. Section 5.6.3 




138 5. Equivalence Checking 



then presents the branching algorithm for deciding bisimilarity, and finally, 
we summarise the results to obtain the complete decision procedure. 



5.6.1 Bisimulation Bases 



An important difference between the theory of normed and unnormed BPA 
processes is the existence of two kinds of bisimilar pairs, decomposable and 
elementary pairs (cf. [CHS92]). 

Definition 5.6.1. Let Xta ~ Xj[3 with i < j and Xi,Xj G Vn- We say that 
the pair {Xia, Xj/3) is decomposable if there exists some 7 such that a ~ 7 /? 
and Aj 7 ~ Xj. If the pair is not decomposable it is said to be elementary. 

Observe that whenever (Xia, Xjf3) is decomposable 7 must be normed 
due to Ai 7 ~ Xj. Moreover, an immediate consequence of this definition is 
that if {Xia, XjP) is elementary, then a and /3 must be unnormed. Thus in 
the normed case only decomposable pairs can occur. 

In order to prove termination of the branching algorithm presented in Sec- 
tion 5.6.3, we need to extend the notion of norm to a seminorm on arbitrary 
context-free processes as follows. 



Definition 5.6.2. We define the seminorm of a variable sequence a G 
V{V*) as 



ll«^IU=d 



llaAll ifXGVM 

||q;|| otherwise 



The seminorm is used to define a well-founded quasi-order on V{V*) xV{V*) 
by 

(01,02) E (A, /?2) iff max{ ||oi||s, II02IU } < max{ ||/3i||s, ||/32||s }. 



Next we introduce some notions concerning bases which are binary rela- 
tions over P(M+). 

Definition 5.6.3. 

— A base is a binary relation consisting of pairs {Xia, Xj/3) G V{V^) x 
V{V~^) with i < j. 

— A base B is called bisimulation-complete if whenever Xia ~ Xj/3 with 
i < j then one of the following conditions hold: 

1. {Xia, XjP) is decomposable and there are 7,7' with Xi^ ~ Xj, 7' ~ 7 
and {Xi"f',Xj) G B. 

2. {Xia, Xj/3) is elementary and {Xia' , Xj/3') G B for some a' ^ a and 
(3' ^ /3 such that {a' ,[3') E {oc,/3). 

— The relation 

= B =df [J =B 
i>0 

is defined recursively by: 
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1. e =3 e and 

2. X,a iff 

a) {Xi"f,Xj) € B and a =g 7/3, for some j < i, or 

b) {Xia' , XjP') G B, a =g a' and /3 P' , for some ji, j2 < i- 
The importance of the relation =s is revealed by the following lemma. 

Lemma 5.6.1. 

1- =B C 

2. If B is bisimulation- complete then ^ Q =b- 

Proof. The first part is easily proved by induction on i. The second part is 
shown by induction with respect to C. First observe that e =b e. Let us now 
assume Xi ^ Xj for some Xi,Xj G Vu- The pair (Xi,Xj) is elementary, 
so by bisimulation-completeness of B we know (Xi,Xj) G B which implies 
Xi =B Xj. Thus the induction base holds. For the induction step now assume 
Xia ~ XjP. We have to distinguish two cases. First assume that {Xia,XjP) 
is decomposable into ~ Xj and a ~ 7/3 for some 7. By bisimulation- 
completeness of B we have {Xij',Xj) G B for some 7' ~ 7 which implies 
a ~ y'/3. Observing that {a,^' P) C (Xia,XjP) the induction hypothesis 
yields a =b 'j' P and therefore Xia =b XjP. To show the remaining case 
assume that {Xia, XjP) is elementary. Then the bisimulation-completeness of 
B delivers {Xia', XjP') G B for some a' ~ a and P' ^ P such that {a' , P') C 
{a,P). Using {a',P') C {a, P) C {Xia, XjP) we conclude by induction a =b 
a' and /3 =b P' and therefore Xia =b XjP. □ 

The key structure for our decidability result are bisimulation bases B. 
They are important as they characterise bisimulation equivalence as the least 
congruence w.r.t. sequential composition containing B. 

Definition 5.6.4 (Bisimulation Base). 

A relation B satisfying ~ = GGg is said to be a bisimulation base. 

As a consequence of Lemma 5.6.1, one of the inclusions, ~ C GGg, is 
guaranteed for bisimulation-complete relations B. A sufficient condition for 
the inverse inclusion, which can be proved for our construction, is ‘self- 
bisimulation’. 

Definition 5.6.5. Given a base B, define the sub-base TZ{B) by: {a,P) G 
TZ{B) iff{a,P) G B and 

1. a A a' implies 3 P'. P P' A a' =b P' 

2. P P' implies 3 o', a A a' A a' =b P' 

That 7?. is a good candidate for successively reducing a bisimulation-complete 
relation to a bisimulation base is a consequence of the following lemma. 
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Lemma 5.6.2. Let B he a bisimulation- complete base. Then the following 
holds: 

1. If {a, /3) € B and a ^ j3 then {a, j3) € 7Z(B). 

2. Ti-iB) is bisimulation- complete. 

Proof. For the first part assume {a, (3) G B and a ~ /3. Whenever a A a' 
then (3 ft' and a' ~ (3' for some (3' . Thus by Lemma 5.6.1 we have a =B P- 
Similarly, if /3 — i /?' then a — i a' and a' ~ P' for some a' . Again by Lemma 

5.6.1 we conclude a =b P. So (a,/3) G TZ{B). 

For the second part, assume XiU ~ XjP. If {Xia,XjP) is decomposa- 
ble, i.e. if Xi'y ~ Xj and a ~ 7/3 for some 7, then by the bisimulation- 
completeness of B we know (Xij', Xj) G B for some 7' ~ 7. Thus W7' ~ Xj, 
and by part one the pair (XiY,Xj) is also contained in TZ{B). On the other 
side, if {Xia, XjP) is elementary we have by bisimulation-completeness of B 
that {Xia', XjP') G B for some a' ~ a and P' ~ /3. Using the first part again, 
we conclude from XiO.' ~ Xia ~ XjP ~ XjP' that {Xia' , XjP') G TZ{B). □ 

Along the lines of [HJM94], this can straight-forwardly be exploited to 
verify that the successive 7^-refinement of a bisimulation-complete relation 
yields indeed a bisimulation base: the (additional) fixpoint property of B^ is 
sufficient to establish that B^ is a self-bisimulation. 

Theorem 5.6.1. If Bq is a finite bisimulation- complete base then 

B=,if]{n\Bo) I i>0} 

is a bisimulation base, i.e. we have ~ 

Proof. By definition of sub-base construction we have 

7^*+l(Bo) C7^*(So), 

for all i > 0. Since is well-founded there must exist some k such that 

B = TZ’^+YBo)CTZYBo), 

and hence B is a fixpoint of IZ, i.e. TZ{B) = B. Lemma 5.6.2 then guarantees 
that B is bisimulation-complete which yields ~C= bQ ^*b by Lemma 5.6.1. 
Moreover, the fixpoint property of B implies by means of Lemma 5.6. 1(1) 
that B is also a self-bisimulation. We thus conclude from Lemma 2.6.4 that 
also GGg C~ holds which proves that B is a bisimulation base. □ 

5.6.2 The Computation of an Initial Base 

Now we attack the most difficult step of our algorithm which deals with the 
computation of an initial base. In this step we collect a sufficiently large set 
of pairs such that after completion we may ensure bisimulation-completeness 
for the obtained base. Our key result that the search for candidate pairs to be 
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inserted in the initial base may be bounded will guarantee the effectiveness 
of this procedure. To start with, we apply the separability bound presented 
in Section 5.5 to a BPA system C representing the normed part of the BPA 
system C at hand. Subsequently, this reduction will admit the development 
of a finite search for initial candidate pairs. 

Recall that C = (V,Act,S,Xi) is the normalised unnormed BPA system 
under consideration. We say a variable Y G Vu is crossing, if Y occurs on 
the right-hand side of some X £ Vn, and we denote the set of all crossing 
variables by Vc- Intuitively, starting with a normed process we can only reach 
an unnormed one by “crossing” a variable of Vc- If ~c denotes bisimilarity 
wrt. C, we construct a normed BPA^ system C' = {V' , Act' , Xi) from C 
as follows. 

-V' = VnA Vc, 

— Act' = Act U {a[v]^^ I Y £ Vc}, where each is an action not 

occurring in Act, 

-£' = {X=^,E££ I X £Vn}A{Y =^,ayy^^J \ Y£Vc}- 

The constructed BPA^ system C' represents the labelled transition graph of 
the normed part of C as illustrated in Figure 5.4. 



C 



C’ 





Fig. 5.4. Illustration of the labelled transition graphs of C and C' . 



The main idea of the construction is to encode the behaviour of crossing 
variables into transitions leading to a deadlocked process thereby obtaining 
some notion of normedness. Note, however, that the deadlock 5 is used in 
order to preserve the bisimilarity of Fa ~ F for F £ Vc,a £ V^. With 
respect to C this bisimilarity is valid due to the unnormedness of F, while 
6a ^ 5 guarantees that Fa ~ F also holds with respect to C' . Formally, 
we may relate the bisimulations associated with C and C' as stated in the 
following proposition. 

Proposition 5.6.1. For all a,P £ V^UVc we have: a /? iff ~C' ff 
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Proof. To prove the direction from left to right, we will show that 
R =df ~c I v*uvc { (^> } 

is a bisimulation wrt. Cb As (5 cannot perform any action we distinguish two 
cases: 



Case 1: a /3 where a,f3 € Vc- 
Let 

a c' 0 

be the only possible transition of a. Since a P and therefore = 

obtain by construction of C' that 



and ((5, 6 ) G R. The other direction is shown by symmetric arguments. 
Case 2: a P where a,P G 

Let a -^c' Oi' ■ Since a is normed we know by construction of C that also 
a Ac a', and as a ~c /? this together implies P Ac P' and a' ~c P' 
for some P' . Again from the construction of C and the fact that a' , P' G 
Av U Vc we finally conclude that P Ac' P' and {a' ,P') G R. The other 
direction follows in a similar fashion. 



For the remaining direction from right to left., we first assume that a ~c' P 
and a,P G Vc- Since 



— >■ C' 0 



and 



P 



c 



S 



are the only possible transitions in C' , we conclude from the assumption that 
= [P]r.^c therefore a ~c P- Finally, the proof is completed by 
showing that 



R -df ~C' I U ~c I v^Vu 

is a bisimulation wrt. C. As the case a ~c Pj where a,P G V^Vu, is trivial, we 
only consider the situation when a ~c' P with a, P G Vfj. Thus let a Ac A. 
From the construction of C', we conclude that a Ac' Q;^ and as a ~c' P we 
have P Ac' P' and a' ~c' P' for some P' . Now we have either a' , P' G Vc, 
which according to the first case yields a' ~c P' and therefore {a',P') G R, 
or a' ,P' G Vj^, which also guarantees (a' ,P') G R. Since the other direction 
is symmetric this completes the proof. □ 

Using this proposition and the following lemma, we are now able to apply 
the separability bound Ba ,0 obtained in the previous section. 

Lemma 5.6.3. Let a A a' with a, a' normed and licl = 1 . Then 

\\a'\\<{l{K-l) + \a\)Af. 
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Proof. The proof is accomplished by induction on 1. For / = 0 we clearly 
obtain ||a'|| = ||a|| < \a\Af. Now assume a = Xj3 j(3 ^ a' with |w| = 1. 
Then we conclude by induction hypothesis 

Ha'll < {l{K-l) + \jP\)Af 

< {l{K-l) + {K+\(3\))Af 

= {l{K-l) + {{K-l) + \X/3\))Af 

< + -l) + \a\)Af. 

□ 

Proposition 5 . 6 . 2 . Consider the BPA system C and let f be normed with 
C / ^7; Hell ^ ll^ll o^nd Cf3 ~ r]f3. Then (3 ^ X , where X =jf ^X for some 
7 yf e such that the following conditions hold. 

— // Hell < H’lll then ry ^ 7 for some fixed w where ( ^ e is a norm-reducing 
transition sequence. 

~ hf Hell = Ihll then without loss of generality f ^ e and rj j in \w\ < 
B{C,,rf) steps where 

V) =dr + {B^cv(K - 1) + iei)AT. 

Proof. First assume ||eH < 1 1^1 1- Let e ^ e be a norm-reducing transition 
sequence. Then e/3 ^ ^ l(3 and P ^ jP for some 7 such that rj ^ ^ 

in |w| = Hell steps. Since any system of guarded equations has a unique 
solution up to bisimulation, we conclude that P ^ X where X =df ^X, which 
completes the first part. 

Now suppose lien = Ihll- By Proposition 5.6.1, Sep^'iC^v) = for some 
TO > 1. Thus we have the following situation: f = fm Vm = V- Let (m 

em-i wlog. be a separating transition. Since fmP Cm-iP we also have 
VmP Vm-iP for some such that (m-iP ~c Vm-iP and -fm-pc 
rjm-i due to the separating property of the transition. This construction can 
repeatedly be applied to obtain sequences Cm, ■ ■ ■ , Ci and ijm, ■ ■ ■ , 7 i such 
that Ci '^i,C Vi and CiP ~C ViP for all 1 < z < to. An illustration is given 
in Figure 5.5. As the situation is symmetric in this case we may assume 
IICill ^ Hr/iH- Now observe that by Theorem 5.5.1 we have 

TO - 1 = Sepc/(C, ry) - 1 < Bf^^ - 1. 

In order to complete the proof we consider two cases: 

Case 1 : | I'll II < °o- TLis implies ||Ci|| < oo> and since C and C' coincide on 
Ljv ^ we have also Ci ?^i,c Vi- As CiP ~c ViP, we obtain = e. 

Hence 7 = 71 suits and we have |zc| = to — 1 < ^ — 1. 

Case 2: | I'll II = oo- From Ci /c' Vi we conclude by Proposition 5.6.1 that 

Cl iPc Vi- Since CiP ~C ViP, we have ||Ci|| < 00 . Thus Lemma 5.6.3 

yields 
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||Ci||<((m-l)(iC-l) + ||C||)Ar. 

w' 

Moreover, for the norm-reducing transition sequence 1 e there exists 
some 7 such that ^ 7 and (3 ~ 7/3. Hence for w =jf am-i ■ ■ ■ a\w' we 

1 , . a^n-i-'-ai w' 

obtain 7 ] = rim — >• ?7i — >• 7 m 

|ic| = m - 1 + IICill < ^7 + - 1) + ICDAT 

steps and j3 ^ X where X =jf 7X. 

□ 



“m-1 

Cm-1 

1 “m-2 



/l,C 



"Om 

®m— 1 
— 1 

I am-2 






Cm/9 ~c 

I ^m — 1 



■nmP 

I — 1 



Cm-l/9 ~C 77m-l/3 



Cl/3 






i?i/3 



Fig. 5.5. The construction of a separating transition track. 



The first step of the initial base construction consists of a completion proce- 
dure for the given BPA system. 

Algorithm 5.6.1. The elementary eompletion £‘^ of a set of equations £ is 
defined as follows: 

— Every equation of £ is contained in £‘^ . 

— For each i and j in the range 1 < i < j < n such that Xi, Xj G Vn fix some 
norm-reducing transition sequence Xi -T e. Then for each pair (Xij,Xj) 
such that Xj A 7 for some 7 we do the following: 

1. If ||Aj7|| < ||Aj|| then fix some norm-reducing transition sequence 

A e and add for each C such that Xj A C the equations Y =jf (^Y 
and Y' =^f "fY to where Y, Y' are fresh variables. 

2. If 1 1 Aql I > 1 1 A/j 1 1 then fix some norm-reducing transition sequence Xj — 1 
e and add for each C such that A C the equations Y =df (^Y and 
Y' qY to £‘^ where Y, Y' are fresh variables. 

3. If llATiqll = ||Xj|| then add for each ( such that 
~ Xij A e,Xj A C in |w| < B{Xij,Xj) steps, or 
— Xj A e,Xij A C in |w| < B{Xij,Xj) steps 






5.6 The Algorithm 145 



the equations Y =jf (V and V' =at jV to where Y, Y' are fresh 
variables. 

The equations generated from a pair (Xi'y,Xj) are also called the elemen- 
tary completion of (Xi'y,Xj). 

During this completion we will add new equations to £ in order to explicitly 
denote some needed bisimulation classes. Note, however, that each equation 
added to £ defines an unnormed variable which is bisimilar to 7 (’‘^ for some 
7 , (^, and that no new variable is reachable from any of the original varia- 
bles. Thus the bisimulation classes generated by finite sequences over V are 
unchanged after completion. 

Algorithm 5.6.2 (Initial base Bq construction). 

Let be the elementary completion of £ with variables Vv and VA = 

Vu u 

Step 1: For each i and j in the range 1 < t < j < n such that Xi, Xj G Vn fix 
some w and some [Arj]||jf.|| such that Xj A in |w| = HATiH 

norm-reducing steps. Then {Xi[Xj]\\Xi \\,Xj) G Bq. 

Step 2: For each i and j in the range 1 < i < j < n such that X^, Xj G Vx 
let u be the path labelling chosen during the elementary completion. 
Then for each 7 such that Xj A 7 let (XiY\ XjY) G i?o, if Y =jf 
(Y and Y' =jf 7 Y are contained in the elementary completion of 
(Xa,x,). 

Step 3: For each i and j in the range 1 < z < j < n such that Xi,Xj G Vff 
let (Xi,Xj) G Bq. 

Step 4: For each Xi G Vn and Xj G Vff let 

{(X,[X,]||x 7 |,A) I Y, A [Y,]||xq| in \w\ = IIAII steps} C Bq. 

Moreover, let S be the maximal seminorm of all [Xj]||Xi|| obtained. 
Then add also { (Xia,Xj) \ ||a||s < 5} to Bq. 

Intuitively, in step 1 we collect all candidate pairs (Xij,Xj) needed for 
the reduction of decomposable pairs, while step 2 collects a sufficiently large 
set of candidate elementary pairs {XiY' ,XjY). Step 3 simply includes all 
pairs (X,Y) where X,Y are unnormed since there may also exist elemen- 
tary pairs of this form. Finally, step 4 collects possible elementary pairs of 
the form (Xia, Xj), together with all smaller pairs thereby ensuring that the 
initial base will contain all minimal elementary pairs as required by condi- 
tion (2) of bisimulation-completeness. That the constructed base admits the 
computation of a bisimulation base is now a consequence of the following 
theorem. 

Theorem 5.6.2. The initial base Bq is bisimulation- complete. 
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Proof. Assume Xia ~ Xjf], and let us first consider the case when (A^a, Xjf)) 
is decomposable, i.e. A^7 ~ Xj and a ^ jP for some 7. Let w be the norm- 
reducing transition sequence of length ||Ai|| chosen in step (1) of the in- 
itial base construction. Then due to Xj A we have A^7 A 7 and 

7 ~ [-^i]||Xi||- Thus the pair {Xi[Xj]^^Xi\\, Xj) G Bq satisfies condition (1) for 
bisimulation-completeness . 

Now assume {Xia, XjP) is elementary. 

Case 1; X^^Xj G 

Let Ai e be the norm-reducing transition sequence chosen during the 
elementary completion. Then A^a — 1 a, XjP — >■ 7/? and a ~ 7/? for some 
7 such that Xj 7. Thus we also have XijP ~ A^a ^ XjP. Moreover, 
we know A^7 Xj due to the undecomposability of the pair (A^a, XjP). 
Observing that min{ ||Ai7||, ||Aj|| } is finite allows us to apply Lemma 
5.6.2. We distinguish the following cases. 

1. ||A,7|| < ||A,|| 

For the norm-reducing transition sequence A^y — 1 e fixed during 
elementary completion we have Xj — 1 f and ~ C/3 for some f. So 
there exist equations Y =jf fY, Y' =df 7F G with F ~ /3 and 
Y' ~ 7F ~ 7/3 ~ a. Due to step (2.) we have (A^F', XjY) G Bq and 
obviously this pair is minimal wrt. C. 

2. ||A,7|| > 1 1 A, 1 1 

This case follows a similar way as the previous one. 

3. ||A,7|| = ||A,|| 

Then without loss of generality for a transition sequence A^y — 1 
e with licl < B{Xi'f,Xj) we have Xj A C and /3 ~ (p. Again 
the elementary completion ensures the existence of equations F =jf 
(Y, Y' =dt yF G with Y ^ P and F' ^ yF ~ y/3 ~ a. Due to 
step (2.) we have (AjF',AjF) G Bq and obviously this pair is also 
minimal wrt. C. 

Case 2: Ai, Xj & Vff,a = P = e 

Then by step (3.) (Ai, A,) G Bn. Note that this pair is minimal wrt. C. 
Case 3: A, G Fa,, A^- g F^,/3 = e 

Let Ai — >■ e be a norm-reducing transition sequence. Then A^a — >■ 
a,Xj Xj Q,' and a ~ a' for some a'. Due to step (4.) we have 
{Xia', Xj) G Bq. If there exists a" with a" ~ a' and ||o;"||s < ||q;'||s then 
the seminorm down closure ensures that {Xia” , Xj) is also contained in 
Bo. 

□ 



5.6.3 The Branching Algorithm 

Now assume that we have refined our initial base B^ constructed in the 
previous section by means of the sub-base construction TZ to & bisimulation 
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base B. Deciding bisimilarity of two processes a, (3 is then accomplished by 
using a tableaux system in the style of [HS91]. 

A tableau system is a goal-directed proof system defined by a set of proof- 
rules, and thus similar to a branching algorithm. The difference lies in the 
proof strategy, i.e. the choice to which of the current subgoals a rule should be 
applied next, which is defined for branching algorithms, while left unspecified 
for tableau systems. 

To determine whether a = f3 we construct a tableau for a = (3 using the 
rules given in Table 5.3. As usual, a tableau for a = (3 is & maximal finite 
proof tree with root a = f3 such that the equations labelling an immediate 
successor of a node are obtained by application of some rule. If none of the 
rules is applicable to a node it is called a terminal. Moreover, we call a 
terminal successful if it is labelled with e = e, and unsuccessful otherwise. 
Accordingly, a tableau is said to be successful if all its leaves are successful 
terminals. 



I : 


a = /3 
€ = e 


(o, P) £ B 


T : 


/3 = a 

€ = € 


(o, P) £ B 


D : 


= Xj[3 
0 = 7/3 


{Xa,x^)£B 


D : 


A, A = Xia 
0 = 7/3 


{Xiy,Xj) £ B 


E ' 


Xia = A,-/3 


{Xia',XjP') £ B and (o',/3') C (o,/3) 




P 

II 

II 


E * 


Xjf3 = Xia 


(Xia',XjP') £ B and (o',/3') C (o,/3) 




a = a (3 = P' 



Table 5.3. The tableau rules for deciding bisimulation. 



The decidability, soundness, and completeness of the tableau method is 
proved in the following propositions. 

Proposition 5.6.3. There exist only finitely many tableaux for a = (3, and 
each of them is finite. 

Proof. Let T be a tableau for a = j3. Observe that T is finitely branching 
since the rules applied have only one or two consequents. Moreover, for each 
consequent f = r;' of a premise C, = rj we have (C', rj') C (C, v) which bounds 
the length of each path in T by {a, (3). Hence, according to Konig’s Lemma 
T must be finite. 
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Since the number of applicable rules, as well as the bisimulation base, is 
finite we conclude from the bounded length of each path in a tableau that 
only finitely many tableaux can exist for a = (3. □ 

Proposition 5.6.4. The tableau method is sound and complete, i.e. we have 
ct ^ fd ijf there exists a successful tableau for a = [3. 

Proof. Assume a ^ (3. Due to bisimulation-completeness of B it is possible 
to build a tableau for a = [3 such that for every node labelling C = 77 we have 
C ^ rj. Since by Proposition 5.6.3 this construction must terminate all leaves 
are labelled by e = e, and thus successful. Hence, the tableau itself is also 
successful. 

Now suppose T is a successful tableau for a = (3. To prove a ^ (3 we 
show C ^ V for every node labelling in T by induction on tree depth. The 
proof relies on the bisimilarity of 7 ~ ct for each (7, cr) € B. Obviously, 
we have e ~ e for every successful leave. Now let ^ ^ be the labelling 

of an inner node and assume that f ~ rj' for all consequents f' = rj' of 
( = r]. First, if the I-rule is applied to f = p we deduce C ~ ^7 due to 
(C, v) G B. Second, if <^ = 77 is the premise of a D-rule application let ( = Xio', 
77 = Xj/3', and a' = 7 /?' be the consequent. Then we have ~ Xj due to 
{Xij, Xj)B, and a' ~ 7 /?' by induction hypothesis. From this we conclude 
Xia' ~ Xi'fP' ~ Xj(3' , as desired. Finally, in case of an E-rule application to 
C = ?7 let C = Xio' , T] = Xj(3', and a' = a", (3' = (3" be the consequents. 
By induction hypothesis we then know a' ~ a" and f3' ~ (3” which yields 
Xia' ~ Xia" ~ Xj!3" ~ Xjj3' due to {Xia" ,Xjj3") G B. The remaining 
cases where a dual rule is applied to f = rj are dealt with entirely similar. □ 

5.6.4 Summary of the Decision Procedure 

The overall algorithm proceeds in three steps: 

1. Computation of an initial base Bq by means of the algorithm presented 
in Section 5.6.2. This algorithm terminates with a base of elementary 
size. 

2. Refinement of Bq by iterative application of TZ until a bisimulation base 
is reached, which is the case after at most |Rol iterations. As Bq is of 
elementary size and each iteration itself is elementary also this step is 
elementary. 

3. Decision of a ~ /3 by means of a straightforward (obviously elementary) 
branching algorithm. 

Summarising we can conclude: 

Theorem 5.6.3 (Main Theorem). 

Our three step bisimulation decision algorithm is elementary. 
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Remark: Our complexity analysis is quite rough. A more careful analysis 
would reveal quite a small ‘exponentiality’ which, nevertheless, is intractable 
for practical purposes. Our main result established is therefore the effectivity 
of the bisimulation decision procedure for arbitrary context-free processes. 




6. Summary and Perspectives 



In this monograph we have considered syntactical, logical and semantical 
analysis and verification methods for the class of context-free processes, as 
well as its generalisation the class of pushdown processes. By exploiting 
structural properties of the underlying process model the presented algo- 
rithms have clearly demonstrated that an automated reasoning about these 
restricted, but nevertheless expressive, classes of infinite-state systems is in- 
deed possible. Although the developed algorithms are quite intricate as the 
associated decision problems are already very close to the dividing line be- 
tween decidability and undecidability, we hope that they provide a better 
understanding of the theory of infinite-state concurrent systems. 

In this final chapter we will summarise our achievements, present relevant 
results which have been obtained since the submission of my Ph.D. thesis and 
give some directions for further research. 



6.1 Summary of the Main Results 

In Chapter 3 we proposed Pushdown Process Algebra (PDPA) as a suit- 
able framework for modelling pushdown processes. We introduced the PDPA 
laws and showed a normal form theorem stating that any guarded PDPA 
system may effectively be transformed into an up to bisimilarity equivalent 
PDPA system in Pushdown Normal Form. We furthermore investigated par- 
allel compositions involving pushdown processes. In particular, we showed 
that the class of pushdown processes is up to relabelling the smallest exten- 
sion of the class of context-free processes closed under parallel composition 
with finite-state systems. 

In Chapter 4 we developed an iterative model checker that decides the 
alternation-free fragment of the ^-calculus for pushdown processes thus com- 
plementing local tableaux-based methods investigated in [HS93]. The cor- 
rectness and soundness of our algorithm relies on a second-order variant of 
the ordinary semantics of /i-formulas which raises the iteration domain from 
set of states, or dually sets of formulas, to functions over sets of formulas. 
The complexity of the algorithm is exponential in the size of the formula to 
be verified, but only quadratic in the size of the PDPA system in question. 
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We furthermore showed a regularity property of the semantics of /i-formulas 
when interpreted on pushdown transition graphs. 

In Chapter 5 we presented a branching algorithm for deciding bisimilarity 
of normed context-free processes. Exploiting the tree structure of this branch- 
ing algorithm we proved that the number of transitions needed to distinguish 
two non-bisimilar normed context-free processes is bounded by a constant 
which only depends on the given processes and the BPA system under con- 
sideration. This result generalises work of Caucal [Cau89] who considered 
only the deterministic case. Using our new bound we furthermore showed 
how to effectively compute a bisimulation base for a given BPA system ex- 
tending the result of Christensen, Hiittel and Stirling [CHS92] who proved 
the mere existence of such a base. Finally, we obtained by combining this 
base construction with a tableaux system in the style of Hiittel and Stir- 
ling [HS91] an elementary decision procedure for bisimulation equivalence of 
arbitrary context-free processes. 



6.2 Perspectives 

In the rest of this chapter we give directions for further research and describe 
open problems related to this monograph. That the analysis and verification 
of infinite-state systems is currently receiving a lot of attention in the con- 
currency theory community is underpined by the fact that most of the open 
problems we stated at the submission time of my thesis in summer 1995 have 
been solved in the meantime. The following exposition summarises the state 
of the art, and, in particular, provides the relevant references. 

6.2.1 Model Checking 

An important problem not addressed in this monograph and only recently 
solved in [BS97] is how to extend the model checking algorithm to the full 
modal /i-calculus. Even though the semantics of /x-formulas becomes discon- 
tinuous when allowing alternating nested fixpoints the second-order semantics 
which is more oriented at the regular structure of pushdown processes seems 
to elegantly cope with this problem. However, the difficulty of establishing 
the correctness and soundness of an extended model checker that decides 
the full modal /r-calculus lies in the orthogonality of property transformers 
and state sets. As we have shown, a family of property transformers may 
be used to define state sets representing the semantics of subformulas, and 
on the other hand, state sets induce a family of property transformers. In 
the alternation-free case these two points of view are easy to match, whereas 
deeper alternation depths where some sort of induction is required make the 
task of matching much harder. As proved in [BS97], it turns out that the 
straight-forward extension of our model checker where according to the par- 
ities of the equational system also in the PT-scheme alternating fixpoints 
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occur is indeed the desired algorithm. The only complication arises from the 
need that now also valuations have to be taken into account when proving 
the correctness of the algorithm. Fortunately, all this additional complexity 
is only required for the proof and needs not be considered for an implemen- 
tation. 

A different line of research has been pursued in [BQ97] and [Bur97] where 
our model checking algorithm has been generalised in order to deal with 
families of infinite-state systems more expressive than pushdown processes. 
Whereas the first paper presents an adaptation of the notion of predicate 
transformer to the framework of hypergraph grammars as introduced in Sec- 
tion 3.8.4 which allows the handling of infinite-branching transition graphs, 
the second paper shows how to verify an even more expressive class of tran- 
sition graphs introduced in [Cau96] by encoding the acceptance of regular 
languages into /r- formulas and using the model checker for the full ^-calculus. 

Another interesting question is whether our automata-based construc- 
tion showing the regularity of /r-formula semantics on pushdown transition 
graphs may be exploited for obtaining new results about the expressiveness 
of /X- formulas. Using radically different techniques, the open problem whether 
the alternation depth of /x-formulas induces a hierarchy with respect to ex- 
pressiveness has been answered by Lenzi [Len96] and Bradfield [Bra96] in the 
affirmative. While Lenzi uses a topological approach for the proof, Bradfield 
transfers a strictness result for an alternation hierarchy of arithmetic with 
fixpoints. 

6.2.2 Equivalence Checking 

Decidability of bisimulation equivalence for arbitrary context-free processes 
was first presented in [CHS 92]. The result relies on the existence of two semi- 
decision procedures: one searching a finite bisimulation base and one testing 
for non-bisimilarity. Hence, no complexity measure could be given. The pur- 
pose of our studies was therefore to find a single decision procedure which 
would allow to open a new area for complexity improvements. However, it 
turned out that the mere exploitation of the separability bound gives a highly 
nondeterministic algorithm which prevents it from any practical applicability. 
Our work can thus only be seen as a first step in the direction of obtaining 
a more realistic decision algorithm, also reflected by our rough complexity 
estimation. Moreover, the lower complexity bound for deciding bisimilarity 
of context-free processes remains a question still to be answered. Neverthe- 
less, the new results underpin the importance of bisimulation bases for the 
theory of BPA processes. So we may ask, whether it is possible to And struc- 
tural properties of bisimulation bases which would allow for better decision 
algorithms. 

A related issue is the bisimulation equivalence problem for the larger class 
of pushdown processes. Since this problem is closely connected to the problem 
of deciding language equivalence for deterministic pushdown automata, as 
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well as to the problem of deciding equivalence for monadic recursion schemes, 
we cannot expect a simple answer. Obviously, the approach using bisimulation 
bases is not applicable to this class of processes as a vertex in a pushdown 
transition graph corresponds not only to a sequence of nonterminals, but 
incorporates also an additional control state. However, our characterisation 
theorem indicates that processes of the form 

II 7^) 

where C is a context-free process and 7^ is a regular process are candidates for 
further investigation. The difficulty in applying the approach of bisimulation 
bases to the context-free component lies in the required synchronisation with 
the regular process leading to forbidden transitions. 

Nevertheless, two outstanding breakthroughs have been achieved in this 
area in the recent past. First, Stirling [Sti96] proved that bisimulation equiv- 
alence is decidable for normed pushdown processes. He successfully attacked 
this problem by introducing a new tableau system in conjunction with re- 
cursive constants capturing the possible termination behaviour of pushdown 
processes. In a second landmark paper Senizergues [Sen97] showed the de- 
cidability of language equivalence for deterministic pushdown automata. His 
result is based on considering deterministic rational series and applying a tri- 
angulation technique from linear algebra. However, the proof is very intricate 
and a careful analysis is required in order to obtain an intuitive understand- 
ing. 



6.2.3 Regularity of Context-Ftee Processes 

From classical language theory it is known that regularity of context-free lan- 
guages is undecidable. Nevertheless, the decidability of bisimulation equiva- 
lence for context-free processes indicates that in the finer setting of bisimula- 
tion semantics the situation may be different. As a first step in this direction, 
Mauw and Mulder [MM94] have shown that it is decidable whether a com- 
plete BPA specification is regular, i.e. whether all variables define a regular 
process. However, the more interesting question seems to be whether a given 
single variable is regular. 

Exploiting the effective characterisation of all bisimulation equivalence 
classes, as given by our decision algorithm, the decidability of this problem 
has recently been established in [BCS96] where it was shown that the factori- 
sation of a context-free process with respect to bisimulation equivalence is 
effectively a transition graph representable by means of a hypergraph gram- 
mar. Since finiteness is decidable for these transition graphs, now called reg- 
ular graphs, this yields, as a corollary, a decision procedure for the regularity 
problem of context-free processes. 
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